Cuddly Cream Jellyfish
High
Proxy implementation contracts along the inheritance chain could be left uninitialized, and vulnerable to initialization by attackers due to missing _disableInitializers()
call in NounsAuctionHouseV2
contract.
According to openzeppelin's documentation and comment suggestions, an uninitialized contract can be taken over by an attacker, and this applies to both the proxy and its implementation.
NounsAuctionHouseV2
inherits the proxy contract PausableUpgradeable
which makes it vulnerable to uninitialization as it does not disable further initialization of the underlying contracts.
Further notes on this topic include:
- https://forum.openzeppelin.com/t/what-does-disableinitializers-function-mean/28730/2
- https://forum.openzeppelin.com/t/uupsupgradeable-vulnerability-post-mortem/15680/14
- https://docs.openzeppelin.com/contracts/5.x/api/proxy#Initializable-_disableInitializers--
Underlying proxy implementation contract takeover by attacker.
Adding the following line to it's constructor prevents initialization of the implementations contract itself, adding extra protection from attackers:
constructor(INounsToken _nouns, address _weth, uint256 _duration) initializer {
nouns = _nouns;
weth = _weth;
duration = _duration;
_disableInitializers(); // @audit-fix: disables implementation initialization
}