First Flight #3: Thunder Loan
First Flight #3
Beginner FriendlyFoundryDeFiOracle
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

function initialize can be frontrun by an attacker

leogold

Summary

Not calling the initialize function in the deploy script can cause an attack to the contract

Vulnerability Details

initialize function is a function that replaces the constructor which should be called in the same script that deploys the contract. the deploy script did not initialize the contract after deployment which can lead to an attacker frontrunning the Authourized owner to initialize the contract.

Impact

  1. if known early, it can cause the protocol to re-dploy another contract wasting deployment cost

  2. if liquidity provider have interacted with it, attacker can upgrade the contract to allow only owner to withdraw all funds causing loss of funds to liquidity provider.

Tools Used

Manual review, foundry

Recommendations

The initilize function should be called in the deploy script to avoid attackers front-running the the authorized admin.

Updates

Lead Judging Commences

0xnevi Lead Judge
almost 2 years ago
0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Front-running initializers
leogold Submitter
almost 2 years ago
0xnevi Lead Judge
almost 2 years ago
0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Front-running initializers

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.