Hawk High

First Flight #39

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Front-Running Vulnerability in LevelOne Contract Initialization

khalidwalid

Summary

The LevelOne contract implementation is vulnerable to front-running attacks due to missing _disableInitializers() in its constructor. An attacker could initialize the implementation contract directly before the proxy does, potentially hijacking control of the system.

Vulnerability Details

Issue Description

The LevelOne contract inherits from Initializable and UUPSUpgradeable but fails to implement the critical security measure of disabling initializers in its constructor. This omission creates a window of vulnerability during deployment where an attacker could front-run the initialization process.

// SPDX-License-Identifier: MIT

pragma solidity 0.8.26;

// Missing constructor with _disableInitializers()

contract LevelOne is Initializable, UUPSUpgradeable {

// ...

}

Attack Vector

The vulnerability occurs during the deployment process:

levelOneImplementation = new LevelOne(); // Transaction #1

proxy = new ERC1967Proxy(address(levelOneImplementation), ""); // Transaction #2

LevelOne(address(proxy)).initialize(principal, schoolFees, address(usdc)); // Transaction #3

Between Transaction #1 and Transaction #3, the implementation contract address is public but not yet initialized. An attacker monitoring the mempool could:

Detect the implementation contract deployment
Submit their own transaction with a higher gas price to call initialize() directly on the implementation
Set themselves as the principal and gain control over critical functions

This attack is possible because:

Each transaction is independently mined
There's an inherent timing gap between implementation deployment and initialization
The implementation doesn't prevent direct initialization

Impact

If successfully exploited, an attacker could:

• Gain funds

Set themselves as the principal of the implementation contract
Gain privileged access to critical functions including:
- addTeacher()
- removeTeacher()
- expel()
- startSession()
- graduateAndUpgrade()
- _authorizeUpgrade()
Disrupt the intended deployment workflow
Create inconsistency between implementation and proxy state

While this doesn't directly compromise the proxy contract's storage, it creates a vulnerable implementation contract that could potentially be used in future attacks or cause confusion.

Tools Used

Manual code review

Recommendations

Add _disableInitializers() to the constructor:

constructor() {_disableInitializers();}

in the LevelOne contract

Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 months ago

Submission Judgement Published

Validated

Assigned finding tags:

contract can be re-initialized

The system can be re-initialized by an attacker and its integrity tampered with due to lack of `disableInitializer()`

Rewards breakdown

nSLOC

243

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.