Lack of Access Control for Constructor in `Adminable.sol`
Summary
The contract does not have a constructor, which means that the admin address will be set to the address that deploys the
contract. This could lead to unintended consequences if the contract is deployed by an unauthorized or untrusted
address.
Vulnerability Details
In Solidity, when a contract doesn't have an explicit constructor defined, the contract is given an implicit constructor
that takes no arguments and has an empty body. This means that when the contract is deployed, the admin state variable
will be automatically set to the address that deploys the contract. The problem with this approach is that it lacks
access control over who can initially set the admin address.
This vulnerability is considered high severity because it can lead to serious consequences if an attacker or unauthorized party manages to deploy the contract before the intended deployer. The attacker would gain full control over the contract, allowing them to perform administrative actions like transferring the admin role to themselves or others.
Impact
If the contract is deployed by an unauthorized or untrusted address, that address will become the initial admin,
giving them complete control over the contract's administrative functions.
Recommendations
To mitigate this vulnerability, we can add an explicit constructor to the contract. This constructor should initialize the admin address with a specific, trusted address that we control.
Example
By adding an explicit constructor and initializing the admin address with a trusted address during deployment, we can ensure that only the intended party has control over the administrative functions of the contract from the beginning.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.