Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Front-Runnable Initialization Vulnerability in‍ i‍`LevelOne::nitialize()` Function

khan_afzali

Description: The **LevelOne::initialize()**fuction can be called by anyone because it doesn't have access control. Attackers can front-run this transaction to set malicious parameters when the contract is deployed.

function initialize(address _principal, uint256 _schoolFees, address _usdcAddress) public initializer {
if (_principal == address(0)) {
revert HH__ZeroAddress();
}
if (_schoolFees == 0) {
revert HH__ZeroValue();
}
if (_usdcAddress == address(0)) {
revert HH__ZeroAddress();
}
principal = _principal;
schoolFees = _schoolFees;
usdc = IERC20(_usdcAddress);
__UUPSUpgradeable_init();
}

The function is public and only protected by the initializer modifier (which only prevents re-initialization)

No ownership check (like onlyOwner) or deployer validation

Attackers can watch the mempool and call initialize() first with their own parameters:

Set themselves as LevelOne::principal

Control the LevelOne:: _usdcAddress

Set arbitrary LevleOne:: _schoolFees

**Impact: **Complete compromise of contract configuration

Possible loss of funds if malicious USDC address is set


Recommended Mitigation: Add access control (e.g., onlyOwner or Onlyprincipal)

Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

contract can be re-initialized

The system can be re-initialized by an attacker and its integrity tampered with due to lack of `disableInitializer()`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.