Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing access control in Rescuable smart contract may lead to the contract being potentially compromised

abaikunanbaev

Summary

In Rescuablesmart contract, initializeOwnership() function has no access control which will lead to the contract being compromised.

Vulnerability Details

Take a look at the initializeOwnership() functionality:

function initializeOwnership(address _newOwner) external {
if (owner() != address(0x0)) {
revert AlreadyInitialized();
}
_transferOwnership(_newOwner);
}

The function is just external with no access control at all meaning anybody can just call it and initialize a new owner. The contract has important functions such as rescueTokens() that may allow protocol to handle emergency situations and it has onlyOwner modifier meaning only the owner can call it. So if the owner is compromised, anybody can call it. This vulnerability can have significant impact on the contracts in scope if the new functionality is introduced as well.

Impact

Anybody can set a new owner of the contract.

Tools Used

Manual review.

Recommendations

Set owner in the constructor() and then add onlyOwner()modifier to the initializeOwnership().

Updates

Lead Judging Commences

0xnevi Lead Judge
about 1 year ago
0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

[invalid] finding-Rescuable-initializeOwner-lack-access-control

Aside from `Rescuable.sol` being OOS, this is invalid based on codehawks guidelines regarding unprotected initializers. Additionally, this should be called concurrently when deploying a new proxy, but this submissions does not identify that particular issue of an uninitialized owner for proxy contracts

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.