Submission Details
Severity:
Vaults can be initialized by anyone (front-run)
Summary
Vaults initialisation can be frontrunned and setup with wrong parameters. Allowing a malicious user to drain all the tokens
Vulnerability Details
function initVault(ILoveToken loveToken, address managerContract) public {
if (vaultInitialize) revert Vault__AlreadyInitialized();
loveToken.initVault(managerContract);
vaultInitialize = true;
}
There is no access control on the initialisation of the vault, permiting a malicous user to set-up himself as the "managerContract".
function initVault(address managerContract) public {
if (msg.sender == airdropVault) {
_mint(airdropVault, 500_000_000 ether);
approve(managerContract, 500_000_000 ether);
emit AirdropInitialized(managerContract);
} else if (msg.sender == stakingVault) {
_mint(stakingVault, 500_000_000 ether);
approve(managerContract, 500_000_000 ether);
emit StakingInitialized(managerContract);
} else revert LoveToken__Unauthorized();
} ```
the "approve" lines allow him to drain all the funds in the loveToken contract
## Impact
LoveTokens can be drained by the malicious user
## Tools Used
Manual review
## Recommendations
init the vaults in the constructor of the LoveToken
Rewards breakdown
nSLOC
233This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.