Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

## [H-4] Initializer function is not access controlled and anyone can initialize the contract, which can lead to front-run attack

kocetovelev12

Summary

The protocol have an initialization function where the actual initialization of the contract is done instead of the constructor. However, this function can be called by anyone and an attacker can initialize the contract with parameters that are useful to him. Even if we have a specific principle configured in the deployment script, an attacker can front-run the transaction and become a principle.

Vulnerability Details

An attacker can frontrun the transaction and set initial values to whatever he need to break the protocol.

Impact

Attacker can initialize the contract to take advantage over it.

Tools Used

Slither

Recommendations

- function initialize(address _principal, uint256 _schoolFees, address _usdcAddress) public initializer {
+ function initialize(address _principal, uint256 _schoolFees, address _usdcAddress) public onlyPrincipal initializer {
if (_principal == address(0)) {
revert HH__ZeroAddress();
}
if (_schoolFees == 0) {
revert HH__ZeroValue();
}
if (_usdcAddress == address(0)) {
revert HH__ZeroAddress();
}
principal = _principal;
schoolFees = _schoolFees;
usdc = IERC20(_usdcAddress);
__UUPSUpgradeable_init();
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge 15 days ago
Submission Judgement Published
Validated
Assigned finding tags:

contract can be re-initialized

The system can be re-initialized by an attacker and its integrity tampered with due to lack of `disableInitializer()`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.