Omniscia 0xPhase Audit
AdminUpgradeableProxy Manual Review Findings
AdminUpgradeableProxy Manual Review Findings
AUP-01M: Incorrect Implementation of Initialization
| Type | Severity | Location |
|---|---|---|
| Logical Fault |  | AdminUpgradeableProxy.sol:L34-L36 |
Description:
The AdminUpgradeableProxy::constructor contains an invalid initialization methodology using delegatecall to self, resulting a "successful" call that does not initialize the contract.
Impact:
The flaw arises from the fact that when the constructor of the contract is being executed its code has not yet been stored on the blockchain. As such, a self-call of any kind (delegatecall / call / staticcall) will be performed to an address with no code thus succeeding while not executing any statement.
Example:
26/// @dev Initializes the upgradeable proxy with an initial implementation specified by `_target`.27/// @param _owner Address of proxy owner28/// @param _target Address of contract for proxy29/// @param _initialCall Optional initial calldata30constructor(address _owner, address _target, bytes memory _initialCall) {31 _setImplementation(_target);32 _initializeOwnership(_owner);33
34 if (_initialCall.length > 0) {35 CallLib.delegateCallFunc(address(this), _initialCall);36 }37}Recommendation:
We advise the code to perform a delegatecall instruction directly to the _target as otherwise the contract will not be initialized during deployment.
Alleviation (3dd3d7bf0c2693b2f9c23bacedfa420393f7ea84):
The contract now properly performs a delegatecall instruction to the intended _target of the proxy, initializing itself properly and alleviating this exhibit.