Assessment reports>Memecoin Launcher>Medium findings>Constructor left uninitialized
Category: Coding Mistakes

Constructor left uninitialized

Medium Severity
Medium Impact
Medium Likelihood

Description

The Memecoin Launcher is upgradable and uses the UUPS Proxy mechanism. Thus, the contract is initialized by the initialize function and not the constructor. However, as mentioned in the OpenZeppelin documentation, the implementation contract should not be left uninitialized.

Impact

An attacker may initialize the implementation contract, which allows them to own it. This is a reputational hazard, because the implementation contract looks legitimate, since it was deployed by a legitimate deployer.

Recommendations

To prevent the implementation contract from being used, OpenZeppelin recommends to add a constructor that invokes the _disableInitializers function to lock it when it is deployed.

Remediation

This issue has been acknowledged by PondFun, and a fix was implemented in commit 4e0ee0eb.

Zellic © 2025Back to top ↑