Afriaudit - Missing Initialization of OwnableUpgradeable in `LenderCommitmentGroup_Smart` Contract
Closed this issue · 0 comments
Afriaudit
medium
Missing Initialization of OwnableUpgradeable in LenderCommitmentGroup_Smart
Contract
Summary
The LenderCommitmentGroup_Smart
contract inherits from OwnableUpgradeable
but does not call the required initialization function __Ownable_init()
to establish the contract's ownership.
Vulnerability Detail
The contract uses the OpenZeppelin upgradeable contracts framework, which requires explicit initialization of inherited contracts due to the lack of a constructor in the proxy pattern. The OwnableUpgradeable contract provides ownership management features, but without proper initialization, the owner of the contract will not be set, leading to potential issues with access control and ownership-dependent functions.
Impact
Failure to initialize OwnableUpgradeable means that the owner() function will return the zero address, and functions restricted to the owner, such as pauseBorrowing() and unpauseBorrowing(), cannot be called successfully. This compromises the contract's administrative controls and emergency stop mechanisms.
Code Snippet
Tool used
Manual Review
Recommendation
Include a call to __Ownable_init() within the initialize function to properly set the initial owner of the contract.
Duplicate of #35