Description

The contract BalancerOracleAdapter inherits the contract OwnableUpgradeable, but it does not invoke the initializer of the contract OwnableUpgradeable during its own initialization.

contract BalancerOracleAdapter is Initializable, OwnableUpgradeable, UUPSUpgradeable, PausableUpgradeable, ReentrancyGuardUpgradeable, AggregatorV3Interface, OracleReader {
  // [...]
  function initialize(
    // [...]
  ) initializer external {
    __OracleReader_init(_oracleFeeds);
    __ReentrancyGuard_init();
    __Pausable_init();
    poolAddress = _poolAddress;
    decimals = _decimals;
  }
  // [...]
}

Impact

The owner is never initialized, and the owner function returns the default zero address. No one is the owner who is authorized to upgrade the contract.

function _authorizeUpgrade(address newImplementation)
  internal
  onlyOwner
  override
{}

Recommendations

Consider initializing the contract OwnableUpgradeable in the function initialize of the contract BalancerOracleAdapter.

Remediation

This issue has been acknowledged by Plaza Finance, and a fix was implemented in commit 25d4e0e7↗.