Summary

The initialize function in the CurveAdapter.sol file is publicly accessible and lacks access control, allowing any user to call it once. This vulnerability enables unauthorized users to set the contract's owner and configuration parameters, potentially compromising the contract's security and intended functionality.

Vulnerability Details

The initialize function is marked as external and uses the initializer modifier from OpenZeppelin, which ensures the function can only be called once. However, without any access control mechanisms, such as onlyOwner or a specific role restriction, any external user can invoke this function before the intended admin or owner. This allows an attacker to set the owner to an arbitrary address and configure the _curveStrategyRouter to any address they choose. This breaks the security guarantee of controlled contract initialization, as it permits unauthorized users to take control over the setup and initial configuration of the contract.

Impact

High because it allows an unauthorized user to take control of the contract's initialization process. This can lead to the contract being configured with malicious parameters, resulting in unauthorized access and control over the contract's operations, potentially leading to financial loss or system disruption.

Likelihood:

High, as the initialize function is publicly accessible and can be called by any user. Without access control, there is nothing preventing an attacker from exploiting this vulnerability, especially in a scenario where the contract is deployed and the initialization is not immediately performed by the intended owner.

POC

The CurveAdapter contract is deployed on the blockchain. At this point, the initialize function is publicly accessible and has not yet been called.

• Attacker's Action: An attacker, monitoring the blockchain for newly deployed contracts, identifies the CurveAdapter contract and notices that the initialize function is still callable.

2. Exploit Execution:

• The attacker calls the initialize function with the following parameters:

• owner: The attacker's address.

• _curveStrategyRouter: An address controlled by the attacker.

• _slippageToleranceBps: Any arbitrary value.

3. Result:

• The attacker successfully sets themselves as the owner of the contract.

• The attacker configures the _curveStrategyRouter to an address they control, allowing them to manipulate the contract's operations.

• The contract is now initialized with parameters that benefit the attacker, potentially leading to unauthorized access and control over the contract's operations.

The attacker sets themselves as the owner, gaining control over any owner-restricted functions.

• Malicious Router: The attacker sets a malicious address as the _curveStrategyRouter, potentially redirecting funds or operations to their benefit.

• Arbitrary Parameters: The attacker can set any parameters they choose, further customizing the contract's behavior to suit their needs.

Recommendations

Implement access control mechanisms to restrict the initialize function to authorized users only. This can be achieved by using the onlyOwner modifier or a similar access control pattern to ensure that only the intended admin or owner can call the function.