Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA Report #30

Open
code423n4 opened this issue Feb 20, 2022 · 3 comments
Open

QA Report #30

code423n4 opened this issue Feb 20, 2022 · 3 comments
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-02-hubble/blob/main/contracts/InsuranceFund.sol#L34-L35

Vulnerability details

Impact

InsuranceFund's initialize doesn't seem to be able to run in the setup provided without initializer modifier, so the contract's ERC20 cannot be initialized, VUSD, marginAccount and governace cannot be set, the contract is inoperable

Proof of Concept

InsuranceFund's initialize calls ERC20Upgradeable's __ERC20_init, stating that it has initializer modifier:

https://github.com/code-423n4/2022-02-hubble/blob/main/contracts/InsuranceFund.sol#L34-L35

While actually __ERC20_init only has onlyInitializing modifier:

https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/blob/master/contracts/token/ERC20/ERC20Upgradeable.sol#L55-L62

That checks that initialization is taking place:

https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/blob/master/contracts/proxy/utils/Initializable.sol#L72-L75

But it hasn't started and this way InsuranceFund's initialize have to fail all the times

Recommended Mitigation Steps

Consider adding initializer modifier (inherited from ERC20Upgradeable) to InsuranceFund's initialize:

Now:

function initialize(address _governance) external {
		__ERC20_init("Hubble-Insurance-Fund", "HIF"); // has initializer modifier
		_setGovernace(_governance);
}

To be:

function initialize(address _governance) external initializer {
		__ERC20_init("Hubble-Insurance-Fund", "HIF"); // has initializer modifier
		_setGovernace(_governance);
}
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Feb 20, 2022
code423n4 added a commit that referenced this issue Feb 20, 2022
@code423n4
hyh issue #30
9743d7d
@atvanguard
Copy link
Collaborator

We are at openzep version 4.2.0 and hence isn't affected by this issue.

@atvanguard atvanguard added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label Feb 24, 2022
@JasoonS JasoonS added invalid This doesn't seem right and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Mar 6, 2022
@JasoonS
Copy link
Collaborator

JasoonS commented Mar 6, 2022

Confirmed not an issue at that version.

@JasoonS JasoonS added 0 (Non-critical) Code style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas optimisation and removed invalid This doesn't seem right labels Mar 6, 2022
@CloudEllie CloudEllie added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 0 (Non-critical) Code style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas optimisation labels Mar 24, 2022
@JeeberC4
Copy link

Since this issue was downgraded to a QA level, and the warden did not submit a separate QA report, we've renamed this one to "QA report" for consistency.
The original title, for the record, was InsuranceFund initialize can't be run

@JeeberC4 JeeberC4 changed the title InsuranceFund initialize can't be run QA Report Mar 24, 2022
@JeeberC4 JeeberC4 mentioned this issue Mar 24, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@atvanguard @JasoonS @code423n4 @CloudEllie @JeeberC4