Front-Running Vulnerability in Contract Initialization
Summary
The initialize function in LevelOne.sol is vulnerable to front-running attacks as it's publicly callable and lacks proper access control, allowing malicious actors to initialize the contract with their own parameters.
Vulnerability Details
Initialize function is marked as public without access restrictions
Anyone can call the function and set the initial state
Critical parameters like principal, schoolFees, and usdc can be set by anyone
Impact
High: This vulnerability allows:
Malicious actors to initialize the contract with their own parameters
Potential loss of control over the contract's initial state
Possible theft of funds if initialized with malicious addresses
Tools Used
Manual code review
Recommendations
Implement a factory pattern for contract deployment
Lead Judging Commences
contract can be re-initialized
The system can be re-initialized by an attacker and its integrity tampered with due to lack of `disableInitializer()`
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.