Submission Details
Severity:
```initVault``` function of LoveToken.sol can be reinitialize multiple times
Summary
The initVault function lacks any safeguards to prevent these authorized addresses from calling it multiple times. This vulnerability allows attackers to exploit the function and:
Mint an unlimited amount of tokens
Approve excessive token transfers:
if (msg.sender == airdropVault) {
_mint(airdropVault, 500_000_000 ether);
approve(managerContract, 500_000_000 ether);
emit AirdropInitialized(managerContract);
} else if (msg.sender == stakingVault) {
_mint(stakingVault, 500_000_000 ether);
approve(managerContract, 500_000_000 ether);
emit StakingInitialized(managerContract);
} else revert LoveToken__Unauthorized();
}```
## Vulnerability Details
No mechanism exists to restrict the number of times each authorized address can call initVault which can lead to minting an unlimited amount of tokens
## Impact
Unlimited token minting can significantly dilute the value of existing tokens, harming investors and holders.
## Tools Used
Manual Review
## Recommendations
Use a boolean flag similar to ```vaultInitialize```, but combine it with proper access control mechanisms. Ensure only authorized addresses can call initVault and set the flag to true after the initial initialization.
Rewards breakdown
nSLOC
233This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.