Last updated
Was this helpful?
Submitted on Tue Jun 18 2024 06:05:13 GMT-0400 (Atlantic Standard Time) by @shanb1605 for
Report ID: #32314
Report type: Smart Contract
Report severity: Insight
Target: https://github.com/FuelLabs/fuel-bridge/tree/623dc288c332b9d55f59b1d3f5e04909e2b4435d/packages/solidity-contracts
Impacts:
Contract fails to deliver promised returns, but doesn't lose value
The FuelERC20GatewayV4 contract is a UUPS upgradeable contract. It's missing _disableInitializers inside constructor to stop initializing the implementation contract.
Since there is missing _disableInitializers inside constructor. Anyone could initialize the implementation of FuelERC20GatewayV4 contract.
https://github.com/FuelLabs/fuel-bridge/blob/623dc288c332b9d55f59b1d3f5e04909e2b4435d/packages/solidity-contracts/contracts/messaging/gateway/FuelERC20Gateway/FuelERC20GatewayV4.sol
Openzeppelin advises initializing the UUPS contract implementation, but FuelERC20GatewayV4 doesn't initialize it under constructor. This leaves anyone to initialize the implementation contract.
https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301
Consider adding this snippet to FuelERC20GatewayV4.sol
The POC is tested through tenderly local simulation that proves anyone can initialize the impl contract.
Go to Tenderly simulator: https://dashboard.tenderly.co/project/simulator/
Click on New Simulation
Insert the impl address on sepolia 0xf6024ccbfbb2201c3d43c0c2bbd162d65d4a07c4
Choose Network as Sepolia
Now choose Enter raw input data and fill 0xc4d66de80000000000000000000000005a36ec816a51d76542cf45f7f7c24ced5b1671e900000000000000000000000000000000000000000000000000000000
Click on Simulate Transaction
The above input data is call data encoding of initialize(address)
