Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Multiple Calls to initialize Function Possible Due to Missing Initialization Check

silentwalker

Summary

The initialize function does not include a check to determine if the contract has already been initialized. This oversight allows the function to be called multiple times, potentially leading to overwriting existing configuration values and unintended behavior.

Vulnerability Details

Lack of an initialization check means that if the initialize function is called more than once, it will overwrite the values of basePlatformFeeRate and baseReferralRate. This can result in a loss of previously set values, leading to unexpected behavior in the contract's logic and possibly exposing it to further vulnerabilities.

https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/SystemConfig.sol#L25-L31

Impact

If the initialize function can be called multiple times, it may overwrite previously set values for basePlatformFeeRate and baseReferralRate. This can disrupt the expected functionality of the contract, potentially leading to scenarios where the protocol operates with incorrect parameters.

Tools Used

Manual Review

Recommendations

Introduce a boolean flag to track whether the contract has already been initialized. Revert the transaction if the function is called after initialization. For example:

bool private initialized;

function initialize(

uint256 _basePlatformFeeRate,

uint256 _baseReferralRate

) external onlyOwner {

require(!initialized, "Contract is already initialized");

// additional checks

initialized = true;

}

Updates

Lead Judging Commences

0xnevi Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

[invalid] finding-Admin-Errors-Malicious

The following issues and its duplicates are invalid as admin errors/input validation/malicious intents are1 generally considered invalid based on [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). If they deploy/set inputs of the contracts appropriately, there will be no issue. Additionally admins are trusted as noted in READ.ME they can break certain assumption of the code based on their actions, and

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.