Fjord Token Staking
Fjord
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Uninitialised Owner Variable Leading to Potential Ownership Hijacking in ` AuctionFactory `

finxlfantasy

Summary

A medium-severity vulnerability was identified in the AuctionFactory contract related to its reliance on the owner variable for access control. Specifically, the risk arises if the contract is deployed via a proxy or if ownership is inadvertently transferred. This vulnerability can potentially allow unauthorized users to gain control of the contract if proper initialization or ownership management is not handled correctly.

Vulnerability Details

The AuctionFactory contract manages access control through the owner variable, which is set during contract construction. If this contract were to be used in a proxy deployment, where the constructor is not called, the owner variable could remain uninitialized or be set incorrectly.

Impact

  • Loss of Funds: Unauthorized auctions or transfer of tokens to the wrong addresses could lead to the loss of tokens held by the contract.

  • Ownership Hijacking: An attacker who gains ownership can manipulate the auction creation process, potentially creating fraudulent auctions.

Tools Used

Manuel code review

Recommendations

Include an initialize function that sets the owner and other critical state variables. Ensure that this function can only be called once.

bool public initialized = false;
function initialize(address _fjordPoints, address _owner) public {
require(!initialized, "Already initialized");
require(_owner != address(0), "Invalid owner address");
fjordPoints = _fjordPoints;
owner = _owner;
initialized = true;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.