The absence of access control for the init()
function in the InitMigrateUnripeBeanEthToBeanSteth
contract leaves it open to unauthorized invocation, potentially leading to unintended changes in protocol state and exploitation risks.
The vulnerability lies within the InitMigrateUnripeBeanEthToBeanSteth
contract's init()
function, which lacks proper access control mechanisms. Let's break down the issue comprehensively:
The init()
function is intended to initialize the migration process of Unripe LP underlying tokens from Bean:Eth
to Bean:Steth
.
It likely performs critical actions such as updating storage variables, setting initial configurations, and possibly interacting with other contracts or protocols.
The init()
function is marked as external, which means it can be called by any external account or contract.
However, there are no access control checks implemented within the function, allowing any Ethereum address to call it.
This lack of access control poses a severe risk, as unauthorized parties could trigger the initialization process, potentially leading to unintended changes in the protocol's state or disruptions in its operations.
Without proper access control, malicious actors could exploit the function to manipulate protocol parameters, disrupt token migrations, or even drain funds from the contract.
The lack of access control for the init()
function poses a significant risk to the security and integrity of the protocol. Any malicious actor or unintended user can potentially invoke this function after deployment, leading to unauthorized changes in the protocol state or disruption of its operations.
Manual
Modify the init()
function to include an access control check that verifies the caller is the diamond cut contract.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.