Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Spectral Modelers>Informational findings>Code does not compile
GeneralOverview
Findings
Critical (1)
High (2)
Medium (3)
Low (1)
Informational (1)Code does not compile
DiscussionReturn of staked tokensInsufficient testingMissing zero-address check in `setAdmin`
Threat ModelWhat are threat models?BeaconProxyDeployer.solCompetition.solCompetitionFactory.solModeler.solServiceAgreement.sol
Audit ResultsSummary
Category: Coding Mistakes

Code does not compile

Informational Severity
Informational Impact
N/A Likelihood

Description

The BeaconProxyDeployer contract handles deploying new UpgradeableBeacon contracts for the modeler and competition implementations.

function _createCompetitionBeacon(address logic) internal {
    require(address(competitionBeacon) == address(0), "Competition Beacon is already set");
    competitionBeacon = new UpgradeableBeacon(
        logic,
    );
    emit CompetitionBeaconDeployed(competitionBeacon);
}

function _createModelerBeacon(address logic) internal {
    require(address(modelerBeacon) == address(0), "Competition Beacon is already set");
    modelerBeacon = new UpgradeableBeacon(
        logic, // implementation
        );
    emit ModelerBeaconDeployed(modelerBeacon);
}

The contract uses an older version of OpenZeppelin's UpgradeableBeacon and therefore misses an important upgrade made available in 0.5.0 that sets the initial owner in the constructor of the UpgradeableBeacon. Therefore, the new UpgradeableBeacon command misses the additional parameter for deploying the contract successfully in the latest version.

Impact

The contract cannot be deployed if the latest UpgradeableBeacon version is used.

Recommendations

We recommend using the latest stable and audited version of the UpgradeableBeacon contract, V5.0. That would imply adding the additional parameter for the initialOwner. More can be read about the latest version of the UpgradeableBeacon here.

Remediation

Zellic © 2024Back to top ↑