Potential front-running issue in `initialize`
Summary
The contract SDLPoolSecondary utilizes an initialize function for upgradeability purposes, but the public accessibility of this function poses a security risk. Specifically, if the contract is not initialized in the same transaction as its construction, it opens the possibility of front-running attacks by malicious actors.
Vulnerability Details
The vulnerability lies in the public accessibility of the initialize function in the SDLPoolSecondary contract. While the contract is designed for upgradeability, allowing arbitrary or malicious values to be passed to the initialize function creates a potential security loophole. The risk is further heightened when the initialization does not occur in the same transaction as the contract construction, exposing legitimate actors to front-running attacks by malicious entities.
Impact
The impact of this vulnerability could be severe, potentially leading to unauthorized modifications of the contract state or unintended behavior. Front-running attacks could compromise the integrity of the contract and negatively affect the project's functionality. The security of user funds and the overall reliability of the project may be jeopardized if this issue is not promptly addressed.
Tools Used
Manual review.
Recommendations
Consider initializing contracts within the same transaction as their construction to be a priority in the design of the upgrade scheme and deployment mechanisms for this project. Alternatively, consider limiting who can call the initialize function.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.