`Rescuable` contract can be highjacked or DOSed
Summary
The Rescuable contract can be highjacked by an attaker, setting himself as the owner of the contract.
Line of Code
https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/utils/Rescuable.sol#L33-L39
Description
The contract has a initializeOwnership function which is not a typical proxy initializer function but rather a standalone function implemented by the developers. This function is supposed to be called upon deployment in order to set the owner of the contract. However, this function lacks the basic security features like an access control, which it makes it possible to be frontrun by an attacker and then high jacking the contract or cause DOS issues thereby restricting the protocol from being deployed if done repeatedly.
Once this contract has been highjacked, the attacker automatically has control over this protocol if not discovered or remedied
POC
Impact
Can be used to highjack the protocol or cause DOS attacks and stop the protocol from getting deployed
Mitigation
Add an access control modifier
Lead Judging Commences
[invalid] finding-Rescuable-initializeOwner-lack-access-control
Aside from `Rescuable.sol` being OOS, this is invalid based on codehawks guidelines regarding unprotected initializers. Additionally, this should be called concurrently when deploying a new proxy, but this submissions does not identify that particular issue of an uninitialized owner for proxy contracts
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.