sherlock-audit/2024-04-teller-finance-judging

0x73696d616f - Missing `__Ownable_init()` call in `LenderCommitmentGroup_Smart::initialize()`

Opened this issue · 2 comments

sherlock-admin2 commented

0x73696d616f

high

Missing __Ownable_init() call in LenderCommitmentGroup_Smart::initialize()

Summary

__Ownable_init() is not called in LenderCommitmentGroup_Smart::initialize(), which will make the contract not have any owner.

Vulnerability Detail

LenderCommitmentGroup_Smart::initialize() does not call __Ownable_init() and will be left without owner.

Impact

Inability to pause and unpause borrowing in LenderCommitmentGroup_Smart due to having no owner, as these functions are onlyOwner.

Code Snippet

https://github.com/sherlock-audit/2024-04-teller-finance/blob/main/teller-protocol-v2-audit-2024/packages/contracts/contracts/LenderCommitmentForwarder/extensions/LenderCommitmentGroup/LenderCommitmentGroup_Smart.sol#L158

Tool used

Manual Review

Vscode

Recommendation

Modify LenderCommitmentGroup_Smart::initialize() to call __Ownable_init():

function initialize(
    ...
) external initializer returns (address poolSharesToken_) {
    __Ownable_init();
}
sherlock-admin2 commented

The protocol team fixed this issue in the following PRs/commits:
teller-protocol/teller-protocol-v2-audit-2024#13

sherlock-admin2 commented

The Lead Senior Watson signed off on the fix.