First Flight #9: Soulmate

First Flight #9

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of Access Control in Vault Contract Initialization

0xVinylDavyl

Summary

The Vault contract lacks proper access control mechanisms, allowing for potential unauthorized initialization of the vaults. This vulnerability could lead to unauthorized manipulation of token funds and disrupt the functionality of associated contracts such as Airdrop and Staking.

Vulnerability Details

The vulnerability arises from the absence of access control checks in the initVault function of the Vault contract. Without proper access restrictions, any address can initialize the vault, potentially leading to unauthorized access and manipulation of token funds.

function initVault(ILoveToken loveToken, address managerContract) public {

if (vaultInitialize) revert Vault__AlreadyInitialized();

loveToken.initVault(managerContract);

vaultInitialize = true;

}

Impact

The impact of this vulnerability includes the risk of financial losses due to unauthorized access and manipulation of token funds held in the vaults. Furthermore, it could disrupt the functionality of associated contracts, affecting the overall operation of the system.

Tools Used

Manual code review and analysis techniques were used to identify the vulnerability.

Recommendations

Implement access control mechanisms to restrict vault initialization to authorized contracts or addresses. For example, utilize modifiers to only allow specific addresses to call the initVault function.

modifier onlyAuthorized() {

require(msg.sender == authorizedAddress, "Unauthorized");

}

function initVault(ILoveToken loveToken, address managerContract) public onlyAuthorized {

if (vaultInitialize) revert Vault__AlreadyInitialized();

loveToken.initVault(managerContract);

vaultInitialize = true;

}

Utilize event logging to monitor vault initialization activities and detect any unauthorized attempts. Emit events within the initVault function to log successful vault initializations and potential unauthorized access attempts.

event VaultInitialized(address indexed loveToken, address indexed managerContract);

function initVault(ILoveToken loveToken, address managerContract) public onlyAuthorized {

if (vaultInitialize) revert Vault__AlreadyInitialized();

loveToken.initVault(managerContract);

vaultInitialize = true;

emit VaultInitialized(address(loveToken), managerContract);

}

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Other

Rewards breakdown

nSLOC

233

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.