NFTBridge
60,000 USDC
View results
Submission Details
Severity: low
Invalid

Improper Visibility for Initialization Function

Summary

The initialize function is defined as public but should be external to align with its intended use and prevent unintended internal calls. This function is designed for one-time initialization and is not intended to be called from within the contract itself.

Vulnerability Details

The initialize function is currently marked as public, which means it can be called both internally (from within the contract) and externally (from outside the contract). Given that initialization functions are typically intended to be called only once and from outside the contract (e.g., by a deployment script or initialization process), the correct access level should be external.

Impact

Security Risk: Allowing internal calls could inadvertently permit unauthorized initialization or re-initialization of the contract’s state.

Contract Integrity: Improper initialization or multiple initializations could compromise the contract’s state, leading to potential vulnerabilities.

Tools Used

Manual Code Review

Recommendations

Update the Visibility to external: This will restrict the function to be callable only from outside the contract, aligning with best practices for initialization functions.

function initialize(bytes calldata data) external onlyInit {
Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.