# Attackathon \_ Fuel Network 32314 - \[Smart Contract - Insight] Missing \_disableInitializers in FuelER

Submitted on Tue Jun 18 2024 06:05:13 GMT-0400 (Atlantic Standard Time) by @shanb1605 for [Attackathon | Fuel Network](https://immunefi.com/bounty/fuel-network-attackathon/)

Report ID: #32314

Report type: Smart Contract

Report severity: Insight

Target: <https://github.com/FuelLabs/fuel-bridge/tree/623dc288c332b9d55f59b1d3f5e04909e2b4435d/packages/solidity-contracts>

Impacts:

* Contract fails to deliver promised returns, but doesn't lose value

## Description

## Brief/Intro

The `FuelERC20GatewayV4` contract is a UUPS upgradeable contract. It's missing `_disableInitializers` inside constructor to stop initializing the implementation contract.

## Vulnerability Details

Since there is missing `_disableInitializers` inside constructor. Anyone could initialize the implementation of `FuelERC20GatewayV4` contract.

<https://github.com/FuelLabs/fuel-bridge/blob/623dc288c332b9d55f59b1d3f5e04909e2b4435d/packages/solidity-contracts/contracts/messaging/gateway/FuelERC20Gateway/FuelERC20GatewayV4.sol>

## Impact Details

Openzeppelin advises initializing the UUPS contract implementation, but `FuelERC20GatewayV4` doesn't initialize it under constructor. This leaves anyone to initialize the implementation contract.

## References

<https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301>

## Mitigation

Consider adding this snippet to `FuelERC20GatewayV4.sol`

```solidity
constructor() {
    _disableInitializers()
}
```

## Proof of concept

## Proof of Concept

The POC is tested through tenderly local simulation that proves anyone can initialize the impl contract.

1. Go to Tenderly simulator: <https://dashboard.tenderly.co/project/simulator/>
2. Click on `New Simulation`
3. Insert the impl address on sepolia `0xf6024ccbfbb2201c3d43c0c2bbd162d65d4a07c4`
4. Choose Network as `Sepolia`
5. Now choose `Enter raw input data` and fill ***0xc4d66de80000000000000000000000005a36ec816a51d76542cf45f7f7c24ced5b1671e900000000000000000000000000000000000000000000000000000000***
6. Click on `Simulate Transaction`

***The above input data is call data encoding of initialize(address)***


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-32314-smart-contract-insight-missing-_disableinitializers-in-fuelercgatew.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.