Reinitialization in TokenManager::initialize() by owner
Summary
The initialize() function allows the contract owner to reinitialize critical state variables multiple times due to the absence of an initializer modifier. This vulnerability can lead to severe security and functional risks, as it enables unauthorized reinitialization of the wrappedNativeToken address.
Vulnerability Details
The initialize function in the provided smart contract code is designed to set the wrappedNativeToken address.
The function is protected by the onlyOwner modifier, ensuring that only the contract owner can call it. However, it lacks the initializer modifier, which is crucial for preventing the function from being called more than once. Without this modifier, the contract owner can reinitialize the wrappedNativeToken address at any time.
Affected LoC:
Impact
The absence of the initializer modifier allows the contract owner to reinitialize the wrappedNativeToken address multiple times. This can enable changes to critical state variables.
Tools Used
Manual
Recommendations
To mitigate this issue, it is essential to include the initializer modifier in the initialize function to ensure it can only be called once. The updated function should look like this:
Lead Judging Commences
[invalid] finding-Admin-Errors-Malicious
The following issues and its duplicates are invalid as admin errors/input validation/malicious intents are1 generally considered invalid based on [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). If they deploy/set inputs of the contracts appropriately, there will be no issue. Additionally admins are trusted as noted in READ.ME they can break certain assumption of the code based on their actions, and
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.