Initialization can be front-run leading to unauthorized contract ownership
Description
The initialize() function in the LLMOracleRegistry contract is vulnerable to front-running attacks. Since this is an upgradeable contract using the UUPS pattern, the initialize() function is critical as it sets up the initial contract state including the contract owner who has privileged access to upgrade the contract implementation.
The current implementation allows any address to call initialize() first and become the owner of the contract. While the deployment process likely intends to call this function immediately after deployment, there is a small window where an attacker monitoring the mempool could front-run the legitimate initialization transaction.
If successful, the attacker would gain ownership of the contract and therefore have the ability to:
Call
setStakeAmounts()to manipulate required stake amountsCall
_authorizeUpgrade()to upgrade the contract implementation to a malicious versionEffectively take control of all staked tokens
This is particularly concerning given that this contract handles user stakes in ERC20 tokens and serves as a registry for LLM oracles.
Recommendation
To prevent front-running of the initialization, ensure the initialization is done in the same transaction as the proxy deployment using a deployment framework like OpenZeppelin Hardhat Upgrades that handles this automatically.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.