Tricky Velvet Marmot - Uninitialized Variables in SwapperEngine Contract

[sherlock-admin3]

Tricky Velvet Marmot

Medium

Uninitialized Variables in SwapperEngine Contract

Summary

The initialize() function in SwapperEngine contract is missing, causing registryAccess, registryContract, oracle, usdcToken, and usd0 to remain uninitialized. This will lead to contract misbehavior and potential failures when interacting with these addresses.

Vulnerability Detail

The contract relies on several key state variables: registryAccess, registryContract, oracle, usdcToken, and usd0. However, these variables are never initialized, making their values default to zero addresses. This issue arises due to the absence of an initialize() function, which should properly set these variables during deployment or upgrade.

    struct SwapperEngineStorageV0 {
@>      IRegistryAccess registryAccess;
@>      IRegistryContract registryContract;
@>      IOracle oracle;
@>      IERC20 usdcToken;
@>      IERC20 usd0;
        mapping(uint256 => UsdcOrder) orders;
        uint256 nextOrderId;
        uint256 minimumUSDCAmountProvided;
    }

https://github.com/sherlock-audit/2025-02-usual-labs/blob/main/pegasus/packages/solidity/src/swapperEngine/SwapperEngine.sol#L68C3-L77C6

Impact

Failure to initialize critical addresses (registryAccess, registryContract, oracle, usdcToken, usd0) results in contract malfunctions, potential reverts, and DoS vulnerabilities.

Tool Used

Manual Review

Recommendation

Implement an initialize() function to properly set these addresses at deployment:

+    function initialize(
+        address _registryAccess,
+        address _registryContract,
+        address _oracle,
+        address _usdcToken,
+        address _usd0
+    ) public initializer {
+        registryAccess = IRegistryAccess(_registryAccess);
+        registryContract = IRegistryContract(_registryContract);
+        oracle = IOracle(_oracle);
+        usdcToken = IERC20(_usdcToken);
+        usd0 = IERC20(_usd0);
+    }