Anyone can call the initialize function before it is initialized.
The `initialize` function is publicly accessible and protected only by the `onlyInit` modifier, which checks if the function has been called before but does not restrict who can call it. This allows any external actor to initialize the contract and set themselves as the owner, along with other critical parameters.
An attacker can frontrun the uninitialized contract. The attacker calls the initialize
function, providing their own address as the owner
. And the attacker can decide to set other parameters to what they are supposed to be.
Unauthorized actor can become the contract owner.
Manual review
Implement strict access control on the initialize
function.
If frontrun at the first deployment, protocol will deploy again, no real impact: informational. Moreover it is already deployed and initialize on mainnet. For the upgrades, `initialize` can/will change for the next update since the owner is already set. A lot of protocol make that change. That’s why I consider it like a future feature and it is out of scope.
If frontrun at the first deployment, protocol will deploy again, no real impact: informational. Moreover it is already deployed and initialize on mainnet. For the upgrades, `initialize` can/will change for the next update since the owner is already set. A lot of protocol make that change. That’s why I consider it like a future feature and it is out of scope.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.