Pool.sol
should use the Upgradeable variant of OpenZeppelin Contracts
#108
Labels
1 (Low Risk)
Assets are not at risk. State handling, function incorrect as to spec, issues with comments
bug
Something isn't working
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Handle
WatchPug
Vulnerability details
Given that
Pool
is deployed as a proxied contract, it should use the Upgradeable variant of OpenZeppelin Contracts.https://github.com/code-423n4/2021-12-sublime/blob/9df1b7c4247f8631647c7627a8da9bdc16db8b11/contracts/Pool/PoolFactory.sol#L320-L355
Otherwise, the constructor functions of
Pool
's parent contracts which may change storage at deploy time, won't work for deployed instances.The effect may be different for different OpenZeppelin libraries.
Take
ReentrancyGuard
for example, the code insideReentrancyGuard.sol#constructor
won't work, should useReentrancyGuardUpgradeable.sol
instead:https://github.com/code-423n4/2021-12-sublime/blob/9df1b7c4247f8631647c7627a8da9bdc16db8b11/contracts/Pool/Pool.sol#L6-L8
https://github.com/code-423n4/2021-12-sublime/blob/9df1b7c4247f8631647c7627a8da9bdc16db8b11/contracts/Pool/Pool.sol#L24-L24
Recommendation
Change to:
The text was updated successfully, but these errors were encountered: