Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Memecoin Launcher>Medium findings>Constructor left uninitialized
GeneralOverview
Findings
High (2)
Medium (1)Constructor left uninitialized
Low (4)
Informational (1)
DiscussionToken names and symbols may be identicalPrice gap during deploymentIncomplete documentationCentralization riskVariable DEX deploy price creates arbitrage opportunity
Threat ModelWhat are threat models?PondFun.sol
Audit ResultsAssessment Results
Category: Coding Mistakes

Constructor left uninitialized

Medium Severity
Medium Impact
Medium Likelihood

Description

The Memecoin Launcher is upgradable and uses the UUPS Proxy mechanism. Thus, the contract is initialized by the initialize function and not the constructor. However, as mentioned in the OpenZeppelin documentation, the implementation contract should not be left uninitialized.

Impact

An attacker may initialize the implementation contract, which allows them to own it. This is a reputational hazard, because the implementation contract looks legitimate, since it was deployed by a legitimate deployer.

Recommendations

To prevent the implementation contract from being used, OpenZeppelin recommends to add a constructor that invokes the _disableInitializers function to lock it when it is deployed.

Remediation

This issue has been acknowledged by PondFun, and a fix was implemented in commit 4e0ee0eb.

Zellic © 2025Back to top ↑