initVault can be front-run, wrong `managerContract` can be deployed
Summary
The initVault function in the Vault contract is declared as public, making it susceptible to front-running attacks. Additionally, there is a risk of deploying the wrong managerContract by any malicious actor. The LoveToken contract, when calling initVault(address managerContract), approves a substantial amount to the specified managerContract, posing a potential security vulnerability.
Vulnerability Details
The initVault function in the Vault contract is publicly accessible, which allows malicious actors to front-run the initialization, potentially causing unexpected behavior or exploiting the system.
There is a risk that a malicious actor deploys a different contract as the managerContract in the LoveToken contract, leading to unintended consequences during initialization.
If this happen then the LoveToken contract approves a significant amount of tokens to the managerContract without proper checks, creating a potential avenue for large-scale losses if the managerContract is compromised.
Impact
Front-running: Malicious actors may exploit the public nature of
initVaultto manipulate the initialization process, leading to undesirable outcomes.Incorrect
managerContract: Deploying the wrongmanagerContractcan result in unexpected behaviors, potentially compromising the security of the system.Excessive Token Approval: Approving a large token amount without adequate checks may lead to substantial losses if the
managerContractis compromised.
Tools Used
Manual code review and analysis.
Recommendations
When deploying the contracts make sure to deploy and initialize in same transaction to avoid the front-running.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.