Improper Visibility for Initialization Function
Summary
The initialize function is defined as public but should be external to align with its intended use and prevent unintended internal calls. This function is designed for one-time initialization and is not intended to be called from within the contract itself.
Vulnerability Details
The initialize function is currently marked as public, which means it can be called both internally (from within the contract) and externally (from outside the contract). Given that initialization functions are typically intended to be called only once and from outside the contract (e.g., by a deployment script or initialization process), the correct access level should be external.
Impact
Security Risk: Allowing internal calls could inadvertently permit unauthorized initialization or re-initialization of the contract’s state.
Contract Integrity: Improper initialization or multiple initializations could compromise the contract’s state, leading to potential vulnerabilities.
Tools Used
Manual Code Review
Recommendations
Update the Visibility to external: This will restrict the function to be callable only from outside the contract, aligning with best practices for initialization functions.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.