#36970 [SC-Insight] Missing `_disableInitializer()` implementation
Submitted on Nov 21st 2024 at 07:59:06 UTC by @FaisalAli19 for Audit Comp | Anvil: Letters of Credit
Report ID: #36970
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/AcronymFoundation/anvil-contracts/blob/main/contracts/LetterOfCredit.sol
Impacts:
Missing `_disableInitializer()` implementation
Description
Brief/Intro
The `LetterOfCredit.sol` contract uses the Initializable module and is missing a call to _disableInitializers() in its constructor. This function is critical to ensure that the implementation contract is locked and cannot be initialized.
Vulnerability Details
The implementation contract is missing a call to `_disableInitializers()` in its constructor. This function is critical to ensure that the implementation contract is locked and cannot be initialized. If an attacker successfully initializes the implementation contract, they could potentially gain unauthorized control over it, which might impact proxy contracts pointing to the implementation.
Impact Details
An uninitialized implementation contract poses a significant security risk:
Unauthorized Access: Attackers could initialize the implementation contract, setting themselves as the contract owner or manipulating state variables.
Proxy Impact: Malicious control over the implementation could indirectly affect proxy contracts relying on it.
References
Please check the Initializing the Implementation Contract section. https://docs.openzeppelin.com/upgrades-plugins/1.x/writing-upgradeable
Proof of Concept
https://github.com/AcronymFoundation/anvil-contracts/blob/b03f034929b4c0972c8d81f2d0d33dd730056aa2/contracts/LetterOfCredit.sol#L157
```solidity constructor() initializer {} ```