Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Wasabi Perps>Low findings>Initializers not disabled in ownable and upgradable implementation contracts
GeneralOverview
Findings
Critical (2)
High (1)
Medium (1)
Low (4)Zero interest automatically changed to maximum Loss of precisionMissing length checkInitializers not disabled
Informational (2)
DiscussionLimited test coverageThe difficulty of analyzing code that relies on offchain components
Threat ModelWhat are threat models?BaseWasabiPool.solDebtController.solWasabiLongPool.solWasabiShortPool.solWasabiVault.sol
Audit ResultsSummary
Category: Coding Mistakes

Initializers not disabled in ownable and upgradable implementation contracts

Low Severity
Informational Impact
N/A Likelihood

Description

The WasabiVault and BaseWasabiPool contracts are upgradable, inheriting from standard OpenZeppelin UUPSUpgradable and Ownable contracts. Those contracts do not disable initializers in their constructors.

Impact

Due to using a recent version of OpenZeppelin, this issue is not exploitable and there is no security impact, and as such this finding is reported as informational.

In earlier versions of OpenZeppelin, not disabling initializers meant anyone could call the implementation contracts directly and initialize them, usually transferring ownership of the contract. The data associated with the normal operation of the contract is not affected by this, since the storage belongs to the proxy that invokes the implementation contract using delegatecall. However, having ownership of the implementation contract allows to invoke and permanently destroy the implementation contract by using UUPSUpgradable.upgradeToAndCall to delegatecall a contract that performs a selfdestruct. This has the effect of permanently breaking the smart contract, since the upgrade functionality is also contained in the now destroyed implementation contract.

Newer versions of OpenZeppelin remediated this issue by implementing an onlyProxy modifier used by upgradeToAndCall, which reverts if the function is invoked directly on a deployed contract instead of through a proxy.

Recommendations

No action is required.

Remediation

We reported this issue as soon as it was identified due to its potentially critical impact. The Wasabi team promptly developed and submitted a patched version of the contracts, which disabled initializers in the contract constructors and was deployed shortly after.

  • January 5th, 18:51 UTC+1 — Issue raised to the development team.

  • January 5th, 19:25 UTC+1 — Issue acknowledged.

  • January 5th, 19:39 UTC+1 — Patch commit submitted for our review.

  • January 5th, 19:41 UTC+1 — Patch commit reviewed.

  • January 5th, ~19:45 UTC+1 — Contracts are upgraded.

  • January 8th, 11:11 UTC+1 — Wasabi informed that the issue was not exploitable.

Zellic © 2024Back to top ↑