Reinitialization Vulnerability
Summary
The initialize function can be called multiple times, allowing the wrappedNativeToken address to be changed after initial setup.
Vulnerability Details
This function lacks a mechanism to prevent multiple initializations, allowing the wrappedNativeToken to be changed at any time by the owner.
Impact
An attacker who gains owner privileges could change the wrappedNativeToken to a malicious contract, potentially leading to fund theft or contract lockup.
Real-world Example
The Parity Multisig Wallet hack in 2017 resulted from a reinitialization vulnerability, leading to the loss of $31 million worth of Ether.
Tools Used
Manual code review
Recommendations
Implement a one-time initialization check:
Consider using OpenZeppelin's Initializable contract for a standardized initialization approach.
Lead Judging Commences
[invalid] finding-Admin-Errors-Malicious
The following issues and its duplicates are invalid as admin errors/input validation/malicious intents are1 generally considered invalid based on [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). If they deploy/set inputs of the contracts appropriately, there will be no issue. Additionally admins are trusted as noted in READ.ME they can break certain assumption of the code based on their actions, and
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.