initializer function `Distribution_init` can be `frontrun` by an attacker result in setting parameters according to attacker's interest.
Vulnerability Details
The Distribution_init function in the Distribution smart contract is susceptible to a potential front-running vulnerability during initialization. Which can cause re-deployment of the proxy contract or in worst case. If deployer forgot to check the set parameters than parameters will be set according to attacker's interest.
The vulnerability is primarily associated with the transparency of the initialization process. The Distribution_init function initializes the contract and deploys pools using the provided parameters.
contracts/Distribution.sol#L54C5-L68C6
Impact
An attacker could monitor the Ethereum mempool for transactions deploying new instances of the smart contract. can cause re-deployment of the proxy contract or in worst case. If deployer forgot to check the set parameters than parameters will be set according to attacker's interest.
Recommendations
To mitigate the front-running vulnerability during initialization, consider implementing the following measures:
Add any access control mechanism to Distribution_init function. Like when deploying implementation contract add one immutable var. set deployer's address into that. Only that set address should be able to call Distribution_init initializer function.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.