Category: Coding Mistakes
Incorrect initialization of the contract BalancerOracleAdapter
Medium Severity
Medium Impact
High Likelihood
Description
The contract BalancerOracleAdapter inherits the contract OwnableUpgradeable, but it does not invoke the initializer of the contract OwnableUpgradeable during its own initialization.
contract BalancerOracleAdapter is Initializable, OwnableUpgradeable, UUPSUpgradeable, PausableUpgradeable, ReentrancyGuardUpgradeable, AggregatorV3Interface, OracleReader {
// [...]
function initialize(
// [...]
) initializer external {
__OracleReader_init(_oracleFeeds);
__ReentrancyGuard_init();
__Pausable_init();
poolAddress = _poolAddress;
decimals = _decimals;
}
// [...]
}
Impact
The owner is never initialized, and the owner
function returns the default zero address. No one is the owner who is authorized to upgrade the contract.
function _authorizeUpgrade(address newImplementation)
internal
onlyOwner
override
{}
Recommendations
Consider initializing the contract OwnableUpgradeable in the function initialize
of the contract BalancerOracleAdapter.
Remediation
This issue has been acknowledged by Plaza Finance, and a fix was implemented in commit 25d4e0e7↗.