`RegistryBootstrap.sol::initNexus()` can be re-initialised due to lack of proper access control
Summary
The initNexus() function in the RegistryBootstrap.sol contract code lacks proper access control mechanisms and can be initialized multiple times. This exposes the contract to potential re-initialization attacks and unauthorized modifications, leading to several critical security risks.
Vulnerability Details
The function initNexus() is designed to initialize various components of the smart contract, such as validators, executors, hooks, and fallback handlers. However, it does not include any access control checks to ensure that only authorized users can call the function, and it lacks mechanisms to prevent re-initialization.
Impact
Impact:
The vulnerability can lead to overwriting existing validators, executors, hooks, and fallback handlers with potentially malicious ones, allowing unauthorized or malicious actions within the smart contract. Re-initializing the registry can undermine security, allowing unauthorized control.
Tools Used
Manual
Recommendations
It is recommended to implement proper access control mechanisms to ensure that only authorized users can call the initNexus function. Additionally, use the initializer modifier to ensure the function can only be called once, or use the onlyOwner modifier if the function needs to be controlled by the contract owner.
Lead Judging Commences
finding-ERC7579-does-not-revert-when-module-installed
Invalid per comments [here](https://github.com/Cyfrin/2024-07-biconomy/blob/9590f25cd63f7ad2c54feb618036984774f3879d/contracts/base/ModuleManager.sol#L185-L186), with checks implemented [in this contract here](https://github.com/rhinestonewtf/sentinellist/blob/main/src/SentinelList.sol)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.