Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Unprotected initializer in SystemConfig & TokenManager allows multiple initializations

0x5chn0uf

Summary

The SystemConfig::initialize & the TokenManager::initializefunctions are not protected against multiple calls. Although it is restricted to the owner, it lacks the initializer modifier, which is crucial for preventing re-initialization.

This oversight could lead to unexpected behavior and potential system disruption if the function is called more than once, either accidentally or maliciously.

Vulnerability Details

The vulnerable initialize function in SystemConfig.sol:

function initialize(

uint256 _basePlatformFeeRate,

uint256 _baseReferralRate

@> ) external onlyOwner { // @audit - Initializer?

basePlatformFeeRate = _basePlatformFeeRate;

baseReferralRate = _baseReferralRate;

}

This function can be called multiple times by the owner, potentially resetting critical system parameters.

Impact

If the initialize function is called multiple times, it could reset critical system parameters such as basePlatformFeeRate and baseReferralRate. This could disrupt the entire system's economic model, potentially leading to:

Incorrect fee calculations
Unexpected changes in referral rates
Inconsistent system state
Potential financial losses for users or the protocol

While the likelihood of exploitation is reduced due to the onlyOwner modifier, the potential impact remains significant, especially in scenarios involving contract upgrades.

Tools Used

Manual Review

Recommendations

To mitigate this issue:

Import the Initializable contract from OpenZeppelin:

import {Initializable} from "@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol";

Make SystemConfig inherit from Initializable:

contract SystemConfig is SystemConfigStorage, Rescuable, ISystemConfig, Initializable {

// ...

}

Add the initializer modifier to the initialize function:

function initialize(

uint256 _basePlatformFeeRate,

uint256 _baseReferralRate

- ) external onlyOwner {

+ ) external onlyOwner initializer {

basePlatformFeeRate = _basePlatformFeeRate;

baseReferralRate = _baseReferralRate;

}

These changes ensure that the initialize function can only be called once, even by the owner, providing robust protection against accidental or malicious re-initialization.

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

[invalid] finding-Rescuable-initialize-owner

Invalid, can only be initialized by admin, which are trusted per contest READ.ME. So this would take a malicious admin to reinitialize contracts.

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.