Submitted on Nov 21st 2024 at 07:59:06 UTC by @FaisalAli19 for Audit Comp | Anvil: Letters of Credit
- Report ID: #36970
- Report Type: Smart Contract
- Report severity: Insight
- Target: https://github.com/AcronymFoundation/anvil-contracts/blob/main/contracts/LetterOfCredit.sol
- Impacts:
- Missing `_disableInitializer()` implementation
The `LetterOfCredit.sol` contract uses the Initializable module and is missing a call to _disableInitializers() in its constructor. This function is critical to ensure that the implementation contract is locked and cannot be initialized.
The implementation contract is missing a call to `_disableInitializers()` in its constructor. This function is critical to ensure that the implementation contract is locked and cannot be initialized. If an attacker successfully initializes the implementation contract, they could potentially gain unauthorized control over it, which might impact proxy contracts pointing to the implementation.
An uninitialized implementation contract poses a significant security risk:
- Unauthorized Access: Attackers could initialize the implementation contract, setting themselves as the contract owner or manipulating state variables.
- Proxy Impact: Malicious control over the implementation could indirectly affect proxy contracts relying on it.
Please check the Initializing the Implementation Contract section. https://docs.openzeppelin.com/upgrades-plugins/1.x/writing-upgradeable
```solidity constructor() initializer {} ```