The initialize
function is defined as public
but should be external
to align with its intended use and prevent unintended internal calls. This function is designed for one-time initialization and is not intended to be called from within the contract itself.
The initialize
function is currently marked as public
, which means it can be called both internally (from within the contract) and externally (from outside the contract). Given that initialization functions are typically intended to be called only once and from outside the contract (e.g., by a deployment script or initialization process), the correct access level should be external
.
Security Risk: Allowing internal calls could inadvertently permit unauthorized initialization or re-initialization of the contract’s state.
Contract Integrity: Improper initialization or multiple initializations could compromise the contract’s state, leading to potential vulnerabilities.
Manual Code Review
Update the Visibility to external
: This will restrict the function to be callable only from outside the contract, aligning with best practices for initialization functions.
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.