Summary

The identified vulnerability revolves around the risk of front-running initializers in smart contracts, specifically focusing on the Distribution_init function in the provided code snippet. The concern arises from the potential delay in calling the initializer after contract deployment, allowing malicious actors to exploit the situation and set critical parameters to their advantage.

Vulnerability Details

The Distribution_init function initializes contract parameters, including the creation of pools, deposit token assignment, and setting the L1 sender address. However, the vulnerability lies in the deployment process, as there is no explicit enforcement of automated initialization. If the deployment process allows delays before calling the initializer, it opens up the possibility of front-running.

Link to Code

https://github.com/MorpheusAIs/SmartContracts/blob/dev/contracts/Distribution.sol#L54

Impact

Front-running the initializer could result in unintended changes to crucial contract parameters, potentially favoring malicious actors. In the context of the provided code, delayed initialization may lead to unexpected behavior in the contract, impacting its functionality, especially concerning pool creation and deposit token management.

Tools Used

Manual review of the Distribution_init function

Recommendations

Automate the initialization process during contract deployment to ensure immediate execution of the Distribution_init function.

+ require(!initialized, "Distribution: already initialized");
   initialized = true;

Refer

Case Study https://github.com/openethereum/parity-ethereum/issues/6995