Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Nukem Loans>Discussion>Initializer called in constructor
GeneralOverview
Findings
Critical (3)
High (3)
Medium (2)
Low (1)
DiscussionInitializer called in constructorBorrowing on behalf of the Market contractPotential storage-collision issueSaferERC20 additional checksEIP-712 implementationMarket setters should only be called onceUtilizing eth-brownie for testingCentralizationAMM oracle pricing
Threat ModelWhat are threat models?AbstractSwapper.solAuctions.solCollateral.solCredit.solDebt.solEIP712.solERC20Base.solERC20Permit.solEnFi4626.solLendingStrategy.solMarket.solProxyManager.solRoles.solSaferERC20.solUniswapV2Swapper.sol
Audit ResultsSummary

Initializer called in constructor

The initializer function is typically called in an upgradable contract as a way of initializing the storage variables, as the constructor itself will not be called. However, in the case of Ownable2.sol, the initializer is called in the constructor, which does not follow the intended pattern for upgradable contracts.

constructor() {
    Ownable_init();
}

// @audit-issue this is not really an initializer
function Ownable_init() internal {
    _transferOwnership(_msgSender());
}

We recommend removing the call to the initializer in the constructor and instead calling it in an external initialize function, as is the standard for upgradable contracts. This should be applied project wide, as the same erroneous pattern is used in other contracts as well.

Zellic © 2023Back to top ↑