Summary

The initVault function in the Vault contract is declared as public, making it susceptible to front-running attacks. Additionally, there is a risk of deploying the wrong managerContract by any malicious actor. The LoveToken contract, when calling initVault(address managerContract), approves a substantial amount to the specified managerContract, posing a potential security vulnerability.

Vulnerability Details

The initVault function in the Vault contract is publicly accessible, which allows malicious actors to front-run the initialization, potentially causing unexpected behavior or exploiting the system.

There is a risk that a malicious actor deploys a different contract as the managerContract in the LoveToken contract, leading to unintended consequences during initialization.

If this happen then the LoveToken contract approves a significant amount of tokens to the managerContract without proper checks, creating a potential avenue for large-scale losses if the managerContract is compromised.

Impact

1. Front-running: Malicious actors may exploit the public nature of initVault to manipulate the initialization process, leading to undesirable outcomes.

2. Incorrect managerContract: Deploying the wrong managerContract can result in unexpected behaviors, potentially compromising the security of the system.

3. Excessive Token Approval: Approving a large token amount without adequate checks may lead to substantial losses if the managerContract is compromised.

Tools Used

Manual code review and analysis.

Recommendations

When deploying the contracts make sure to deploy and initialize in same transaction to avoid the front-running.