Frontrunning Risk in Ownership Initialization
Summary
The initializeOwnership function in Rescueable.sol is vulnerable to frontrunning attacks. This function allows any user to set themselves as the owner if they act before the intended owner, posing a significant security risk.
Vulnerability Details
The initializeOwnership function allows the setting of a new owner but lacks proper access control. This makes it vulnerable to frontrunning, where a malicious actor could exploit the function to become the owner before the intended owner, thereby gaining unauthorized control.
Without proper access control, this function can be exploited, allowing attackers to gain control of the contract.
Impact
Unauthorized Ownership: Malicious actors can exploit the
initializeOwnershipfunction to set themselves as the owner of the contract, gaining unauthorized control and potentially causing security issues.
Tools Used
Manual Review
Recommendations
Implement Access Control: Add proper access control to the initializeOwnership function to prevent unauthorized access. Consider using an initializer modifier or similar approach to restrict access to the intended deployer.
Lead Judging Commences
[invalid] finding-Rescuable-initializeOwner-lack-access-control
Aside from `Rescuable.sol` being OOS, this is invalid based on codehawks guidelines regarding unprotected initializers. Additionally, this should be called concurrently when deploying a new proxy, but this submissions does not identify that particular issue of an uninitialized owner for proxy contracts
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.