Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

The initialize() can be invoked multiple times by the owner and no event logged

sabit

Summary

The initialize() function, which sets crucial system parameters, can be invoked multiple times by the contract owner.

Vulnerability Details

The initialize() function is defined as follows:

function initialize(
uint256 _basePlatformFeeRate,
uint256 _baseReferralRate
) external onlyOwner {
basePlatformFeeRate = _basePlatformFeeRate;
baseReferralRate = _baseReferralRate;
}

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/SystemConfig.sol#L25C4-L32C1

Key issues:

No initialization guard: The function lacks a mechanism to prevent multiple calls.
Overwritable critical values: basePlatformFeeRate and baseReferralRate can be changed arbitrarily and frequently.
Lack of events: Changes to these critical parameters are not logged, reducing transparency.

Impact

Frequent changes to base rates could destabilize the entire economic model of the system. Unpredictable changes in fee structures may lead to loss of user confidence. For instance, a user can call get getBaseReferralRate() and get a certain value. After a while, call getBaseReferralRate() again and get a different value due to sudden change by the owner.
And without proper event logging, it's challenging to track changes to these parameters.

Tools Used

Manual review

Recommendations

Implement an initialization guard:
bool private initialized;

function initialize(uint256 _basePlatformFeeRate, uint256 _baseReferralRate) external onlyOwner {
require(!initialized, "Contract is already initialized");
basePlatformFeeRate = _basePlatformFeeRate;
baseReferralRate = _baseReferralRate;
initialized = true;
emit Initialized(_basePlatformFeeRate, _baseReferralRate);
}

Create separate functions for updating these values if needed:

function updateBasePlatformFeeRate(uint256 _newRate) external onlyOwner {
basePlatformFeeRate = _newRate;
emit BasePlatformFeeRateUpdated(_newRate);
}

function updateBaseReferralRate(uint256 _newRate) external onlyOwner {````baseReferralRate = _newRate;````emit BaseReferralRateUpdated(_newRate);````}

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

[invalid] finding-Admin-Errors-Malicious

The following issues and its duplicates are invalid as admin errors/input validation/malicious intents are1 generally considered invalid based on [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). If they deploy/set inputs of the contracts appropriately, there will be no issue. Additionally admins are trusted as noted in READ.ME they can break certain assumption of the code based on their actions, and

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.