The `initializeOwnership` function is not protected, Anyone can call it and win ownership of the contracts.
Summary
The function initializeOwnership is not protected, so anyone can call it front-running the protocol call and win ownership of the contracts.
Vulnerability Details
The Rescuable contract is a base contract that is inherited in all the core contracts of the protocol, this contract implements basic functionality like pausing, transfer ownership, tokens transfer, and tokens rescue for the 5 core contracts CapitalPool, DeliveryPlace, PreMarkets, SystemConfig and TokenManager .
The Rescuable contract implements a function called initializeOwnership that is meant to be used by the owner of the contracts to transfer the ownership to another address, but this function doesn't implement the onlyOwner modifier, allowing anyone to call it and change the ownership of the 5 core contracts to any address.
So after deployment of the contracts, an attacker can front-run the owner calling the initializeOwnership function and gaining ownership of the contracts.
Impact
An attacker can steal the ownership of the 5 core contracts of the protocol.
Tools Used
Manual Code Review
Recommendations
Implement the onlyOwner modifier in the initializeOwnership function to avoid the risk of an attacker stealing the ownership of the contracts
Lead Judging Commences
[invalid] finding-Rescuable-initializeOwner-lack-access-control
Aside from `Rescuable.sol` being OOS, this is invalid based on codehawks guidelines regarding unprotected initializers. Additionally, this should be called concurrently when deploying a new proxy, but this submissions does not identify that particular issue of an uninitialized owner for proxy contracts
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.