Omniscia 0xPhase Audit
SimpleProxy Manual Review Findings
SimpleProxy Manual Review Findings
SPY-01M: Incorrect Implementation of Initialization
| Type | Severity | Location |
|---|---|---|
| Logical Fault |  | SimpleProxy.sol:L25-L27 |
Description:
The SimpleProxy::constructor contains an invalid initialization methodology using delegatecall to self, resulting a "successful" call that does not initialize the contract.
Impact:
The flaw arises from the fact that when the constructor of the contract is being executed its code has not yet been stored on the blockchain. As such, a self-call of any kind (delegatecall / call / staticcall) will be performed to an address with no code thus succeeding while not executing any statement.
Example:
19/// @dev Initializes the proxy with an implementation specified by `_target`.20/// @param _target Address of contract for proxy21/// @param _initialCall Optional initial calldata22constructor(address _target, bytes memory _initialCall) {23 _setImplementation(_target);24
25 if (_initialCall.length > 0) {26 CallLib.delegateCallFunc(address(this), _initialCall);27 }28}Recommendation:
We advise the code to perform a delegatecall instruction directly to the _target as otherwise the contract will not be initialized during deployment.
Alleviation (3dd3d7bf0c2693b2f9c23bacedfa420393f7ea84):
The contract now properly performs a delegatecall instruction to the intended _target of the proxy, initializing itself properly and alleviating this exhibit.