The initNexus()
function in the RegistryBootstrap.sol contract code lacks proper access control mechanisms and can be initialized multiple times. This exposes the contract to potential re-initialization attacks and unauthorized modifications, leading to several critical security risks.
The function initNexus()
is designed to initialize various components of the smart contract, such as validators, executors, hooks, and fallback handlers. However, it does not include any access control checks to ensure that only authorized users can call the function, and it lacks mechanisms to prevent re-initialization.
Impact:
The vulnerability can lead to overwriting existing validators, executors, hooks, and fallback handlers with potentially malicious ones, allowing unauthorized or malicious actions within the smart contract. Re-initializing the registry can undermine security, allowing unauthorized control.
Manual
It is recommended to implement proper access control mechanisms to ensure that only authorized users can call the initNexus
function. Additionally, use the initializer
modifier to ensure the function can only be called once, or use the onlyOwner
modifier if the function needs to be controlled by the contract owner.
Invalid per comments [here](https://github.com/Cyfrin/2024-07-biconomy/blob/9590f25cd63f7ad2c54feb618036984774f3879d/contracts/base/ModuleManager.sol#L185-L186), with checks implemented [in this contract here](https://github.com/rhinestonewtf/sentinellist/blob/main/src/SentinelList.sol)
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.