Summary

there is a potential window allowing an arbitrary account to call initialize and set critical state variables, such as factory addresses, which should only be set by the contract deployer or an authorized account.

Vulnerability Details

The initialize function lacks modifiers that restrict its execution to only the contract deployer or some other trusted authority.Any Ethereum account that calls this function before the deployer can set the state variables(s_poolFactory in this case), potentially hijacking the contract's intended logic and behavior.

Impact

The impact is medium, because if the deployment and initialization are called atomically within the same transaction, it will be near impossible for a malicious actor to call initialize and set their desired address as the pool factory address.

Tools Used

Manual Review
Foundry testing.

Recommendations

1. Implement access control on the initialize function to ensure only authorized accounts can call it. This can be done using OpenZeppelin's Ownable contract combined with the onlyOwner modifier or a custom access control system.

2. Ensure deployment scripts are designed to be atomic in nature. they must call initialize in the same transaction as the deployment of the contract, leaving no window for unauthorized calls.