stake.link
stake.link
DeFiHardhatBridge
27,500 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

SDLPoolPrimary can be reinitialized

0xhashiman

Summary

The initialize function within SDLPoolPrimary.sol lacks access control measures and can be invoked multiple times.

Vulnerability Details

The reinitialization possibility arises due to the function using reinitializer(2) instead of an initializer flag. This allows the function to be rerun multiple times, potentially impacting critical variables.
For instance, we call __SDLPoolBase_init() in initialize() function, responsible for initializing __RewardsPoolController_init(), which in turn initializes the owner using __Ownable_init(). Such reinitializations can lead to significant consequences.

Impact

Lines of code:

function initialize(
string memory _name,
string memory _symbol,
address _sdlToken,
address _boostController
) public reinitializer(2) {
if (delegatorPool == address(0)) {
__SDLPoolBase_init(_name, _symbol, _sdlToken, _boostController);
} else {
delegatorPool = ccipController;
}
}

Tools Used

Manual Analysis

Recommendations

To mitigate this issue, it's advisable to use the modifier initializer and introduce access control to safeguard against potential front-running attacks. This would prevent the function from being re-executed, ensuring more secure initialization procedures.

Updates

Lead Judging Commences

0kage Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.