Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

StabilityPool can be initialized by anyone

aregen

Summary

The StabilityPool contract contains a vulnerability in its initialization process. The initialize function lacks access control, allowing any address to call it and set critical contract parameters.

Vulnerability Details

The vulnerability exists in the initialize function:

/**
* @notice Initializes the StabilityPool contract.
* @param _rToken Address of the RToken contract.
* @param _deToken Address of the DEToken contract.
* @param _raacToken Address of the RAAC token contract.
* @param _raacMinter Address of the RAACMinter contract.
*/
function initialize(
address _rToken,
address _deToken,
address _raacToken,
address _raacMinter,
address _crvUSDToken,
address _lendingPool
) public initializer {
if (_rToken == address(0) || _deToken == address(0) || _raacToken == address(0) || _raacMinter == address(0) || _crvUSDToken == address(0) || _lendingPool == address(0)) revert InvalidAddress();
__Ownable_init(_initialOwner);
__Pausable_init();
rToken = IRToken(_rToken);
deToken = IDEToken(_deToken);
raacToken = IRAACToken(_raacToken);
raacMinter = IRAACMinter(_raacMinter);
crvUSDToken = IERC20(_crvUSDToken);
lendingPool = ILendingPool(_lendingPool);
// Get and store the decimals
rTokenDecimals = IRToken(_rToken).decimals();
deTokenDecimals = IDEToken(_deToken).decimals();
}

The function is marked as public with only the initializer modifier from OpenZeppelin. No additional access control is implemented even though the function accepts critical contract addresses as parameters. This makes the contract vulnerable to front-running attacks during initialization.

Impact

The vulnerability has significant implications:

  1. Protocol Compromise: An attacker can:

    • Set malicious contract addresses for all core components

    • Control the flow of tokens and funds

    • Manipulate pool operations

    • Potentially drain user deposits

  2. Trust Assumptions Broken:

    • Users assume contract parameters are set by legitimate protocol owners

    • Compromised initialization breaks this trust

    • Could lead to loss of user funds and protocol reputation

Recommendations

Add access control:

function initialize(
address _rToken,
address _deToken,
address _raacToken,
address _raacMinter,
address _crvUSDToken,
address _lendingPool
) public initializer {
require(msg.sender == owner(), "Unauthorized");
// ... rest of the initialization
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!