No access control in `Starklane::initialize` function
Summary
No access control present in the initialize function, in case the protocol is deployed on mainnet and admin forgets to call the function, it can be called by anyone and they would become the owner. Which is not desirable.
Vulnerability Details
The initialize function :
The function is marked with onlyInit modifier which ensures that the function can only be called once.
But it lacks access control modifier, like onlyAdmin.
In case the protocol is deployed and someone calls the function before admin then they can become the owner and gain admin access. As this line _transferOwnership(owner); in the function transfers ownership to the owner
Impact
Likelihood is low as this can only occur in case of a mistake
Impact high as someone else can gain admin rights
Hence, keeping the impact as low as this is a very niched down situation.
Tools Used
Manual review
Recommendations
Use access control modifiers
Lead Judging Commences
invalid-bridge-initialize-frontrun
If frontrun at the first deployment, protocol will deploy again, no real impact: informational. Moreover it is already deployed and initialize on mainnet. For the upgrades, `initialize` can/will change for the next update since the owner is already set. A lot of protocol make that change. That’s why I consider it like a future feature and it is out of scope.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.