Active Boosts

#58992 [SC-Low] the firelightvault contract doesn t call disableinitializers in its construcotor

Submitted on Nov 7th 2025 at 15:09:03 UTC by @EagleEye for Audit Comp | Firelight

  • Report ID: #58992

  • Report Type: Smart Contract

  • Report severity: Low

  • Target: https://github.com/firelight-protocol/firelight-core/blob/main/contracts/FirelightVault.sol

  • Impacts:

Description

Brief/Intro

The FirelightVault contract is an ERC4626Upgradeable vault and has an initialize function, but doesn't have a constructor that calls the _disableInitializers function. This omission allows the implementation contract to be initialized by malicious user without using a proxy.

Vulnerability Details

The FirelightVault contract doesn't call the _disableInitializers function in its constructor.

  function initialize(
        IERC20 _asset,
        string memory _name,
        string memory _symbol,
        bytes memory _initParams
    ) public initializer {
        InitParams memory initParams = abi.decode(_initParams, (InitParams));
        __ERC20_init(_name, _symbol);
        __ERC4626_init(_asset);
        __Pausable_init();
        __ReentrancyGuard_init();
        __AccessControl_init();

        if (address(_asset) == address(0)) {
            revert InvalidAssetAddress();
        }

        if (initParams.depositLimit == 0) {
            revert InvalidDepositLimit();
        }

        if (initParams.periodConfigurationDuration == 0) {
            revert InvalidPeriodConfigurationDuration();
        }
....

It has an initialize function that is intended to be called by the owner through proxy, but this omission allows the implementation contract to be initialized by malicious user without using a proxy.

Impact Details

Malicious user gains the control over the protocol. The admin should redeploy the protocol.

References

https://github.com/firelight-protocol/firelight-core/blob/db36312f1fb24efc88c3fde15a760defbc3e6370/contracts/FirelightVault.sol#L146

Recommendation

Add a constructor that calls the _disableInitializers function.

Proof of Concept

Proof of Concept

Add a Foundry setup to the Hardhat project, using the steps in this link: https://getfoundry.sh/config/hardhat/#adding-foundry-to-a-hardhat-project Then you can execute the following test with command: forge test --mt "testInitializeVault" -vvvvv

The test shows that anyone can initialize the FirelightVault contract and gain the admin rights:

And the result:

Previous58993 sc low incorrect timestamp calculation in periodattimestamp leads to broken historical period lookups

Was this helpful?