Constructor left uninitialized
Description
The Memecoin Launcher is upgradable and uses the UUPS Proxy mechanism. Thus, the contract is initialized by the initialize
function and not the constructor. However, as mentioned in the OpenZeppelin documentation↗, the implementation contract should not be left uninitialized.
Impact
An attacker may initialize the implementation contract, which allows them to own it. This is a reputational hazard, because the implementation contract looks legitimate, since it was deployed by a legitimate deployer.
Recommendations
To prevent the implementation contract from being used, OpenZeppelin recommends to add a constructor that invokes the _disableInitializers
function to lock it when it is deployed.
Remediation
This issue has been acknowledged by PondFun, and a fix was implemented in commit 4e0ee0eb↗.