Missing `_disableInitializers()` in StabilityPool constructor allows unauthorized initialization
Description
The StabilityPool contract lacks the _disableInitializers() call in its constructor, which is crucial for preventing unauthorized initialization of the contract. This omission can lead to the contract being initialized multiple times, potentially by unauthorized parties.
The
StabilityPoolcontract inherits fromInitializable, which provides the_disableInitializers()function.Without
_disableInitializers(), the contract remains open to initialization, which can be exploited by an attacker to alter the contract's state.
Impact
Risk: Unauthorized initialization can lead to state manipulation, allowing attackers to set arbitrary values for critical state variables.
Consequences: This could disrupt the contract's intended functionality, leading to financial loss or denial of service.
Affected Parties: Users and stakeholders relying on the StabilityPool for secure and reliable operations.
Recommended Mitigation
Add _disableInitializers() to Constructor
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.