Omniscia Moby Audit

TransparentUpgradeableProxy Manual Review Findings

TUP-01M: Inexistent Prevention of Accidentally Sent Funds

Type	Severity	Location
Language Specific		TransparentUpgradeableProxy.sol:L106-L110

Description:

The UpgradeableProxy::constructor is payable yet may not utilize funds at all if no _data payload is provided to it.

Impact:

An upgrade can rescue those funds, however, the recommended change is part of the OpenZeppelin library's latest implementation and thus is advised to be integrated properly.

Example:

contracts/proxy/TransparentUpgradeableProxy.sol

103constructor(address _logic, bytes memory _data) payable {
104    assert(_IMPLEMENTATION_SLOT == bytes32(uint256(keccak256("eip1967.proxy.implementation")) - 1));
105    _setImplementation(_logic);
106    if(_data.length > 0) {
107        // solhint-disable-next-line avoid-low-level-calls
108        (bool success,) = _logic.delegatecall(_data);
109        require(success);
110    }
111}

Recommendation:

We advise the code to ensure that msg.value is 0 if the _data.length value is zero, preventing funds from being accidentally locked during the contract's creation.

Alleviation (b02fae335f62cc1f5f4236fb4d982ad16a32bd26):

The file has been removed from the codebase rendering this exhibit no longer applicable.

Omniscia Moby Audit

TransparentUpgradeableProxy Manual Review Findings

TransparentUpgradeableProxy Manual Review Findings

TUP-01M: Inexistent Prevention of Accidentally Sent Funds

Description:

Impact:

Example:

Recommendation:

Alleviation (b02fae335f62cc1f5f4236fb4d982ad16a32bd26):

SpotPriceFeed.sol (SPF-M)

Vault.sol (VTL-M)

On this page