Was this helpful?
Submitted on Nov 21st 2024 at 07:59:06 UTC by @FaisalAli19 for
Report ID: #36970
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/AcronymFoundation/anvil-contracts/blob/main/contracts/LetterOfCredit.sol
Impacts:
Missing `_disableInitializer()` implementation
The `LetterOfCredit.sol` contract uses the Initializable module and is missing a call to _disableInitializers() in its constructor. This function is critical to ensure that the implementation contract is locked and cannot be initialized.
The implementation contract is missing a call to `_disableInitializers()` in its constructor. This function is critical to ensure that the implementation contract is locked and cannot be initialized. If an attacker successfully initializes the implementation contract, they could potentially gain unauthorized control over it, which might impact proxy contracts pointing to the implementation.
An uninitialized implementation contract poses a significant security risk:
Unauthorized Access: Attackers could initialize the implementation contract, setting themselves as the contract owner or manipulating state variables.
Proxy Impact: Malicious control over the implementation could indirectly affect proxy contracts relying on it.
Please check the Initializing the Implementation Contract section. https://docs.openzeppelin.com/upgrades-plugins/1.x/writing-upgradeable
https://github.com/AcronymFoundation/anvil-contracts/blob/b03f034929b4c0972c8d81f2d0d33dd730056aa2/contracts/LetterOfCredit.sol#L157
```solidity constructor() initializer {} ```
