Steadefi

Steadefi
DeFiHardhatFoundryOracle
35,000 USDC
View results
Submission Details
Severity: high
Invalid

Initializers must be protected

Summary

The vulnerability titled "Initializers must be protected" refers to the constructor function in the provided Solidity code. The constructor function is used to initialize the contract when it is first created and it is not protected, meaning that it can be called by any entity.

Vulnerability Details

This could potentially allow an attacker to re-initialize the contract with a new vault address, leading to loss of control over the contract or misdirection of funds. To mitigate this vulnerability, the constructor function should be modified to include access controls or modifiers to ensure that only authorized entities can initialize the contract.

Impact

This would have a massive impact because this could lead to a loss of funds.

Tools Used

Recommendations

To resolve this issue, you should add an access control mechanism to the constructor function to ensure that only authorized entities can initialize the contract. This can be done by using the OpenZeppelin's Ownable contract. Here is how you can do it:

  1. First, install the OpenZeppelin contracts by running npm install @openzeppelin/contracts.

  2. Import the Ownable contract into your contract file: import "@openzeppelin/contracts/access/Ownable.sol";.

  3. Make your contract inherit from the Ownable contract: contract GMXCallback is IDepositCallbackReceiver, IWithdrawalCallbackReceiver, Ownable.

  4. In the constructor, add the onlyOwner modifier to ensure that only the contract owner can initialize the contract:

constructor (address _vault) onlyOwner {
vault = IGMXVault(_vault);
roleStore = IRoleStore(vault.store().roleStore);
}
  1. Deploy the contract by calling the constructor from the account that you want to be the owner.

This way, only the owner of the contract will be able to initialize it, preventing potential attacks.

Updates

Lead Judging Commences

hans Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.