The Starklane::initialize()
can be called in the implementation contract, if OZ version is prior 4.3.2, this can be a problem.
The bridge contract does not prevent the function Starklane::initialize()
being called on the implementation contract.
If OZ version is prior 4.3.2, a hacker can claim the ownership and selfdestruct
the contract.
Ref:
https://x.com/xb0g0/status/1783020362688598371
https://forum.openzeppelin.com/t/uupsupgradeable-vulnerability-post-mortem/15680
Uninitialized implementation contract can be taken over by an attacker.
vscode
Add a constructor for the bridge and set _initializedImpls[impl] = true
, to prevent contract being initiated by hacker.
Likelyhood: Low/Medium Impact: Very low, the attacker can at most run the protocol on their side and lead a phishing campaign with an address deployed by Ark.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.