The initialize() function configures critical protocol dependencies such as the Aave pool, data provider, 1inch router, USDC token, and oracle. It also assigns contract ownership and sets the flash loan fee. The initializer modifier ensures it can only be executed once in an upgradeable deployment.
The function is declared as external initializer without access control and without validating input addresses. This allows any external account to call initialize() before the intended deployer, permanently take ownership, and inject malicious protocol addresses.
Likelihood: HIGH
During proxy deployment, the contract remains uninitialized until initialize() is executed, creating a publicly accessible execution window.
Attackers and automated bots actively monitor newly deployed upgradeable contracts and execute unprotected initializer functions immediately.
Impact: CRITICAL
Permanent ownership takeover by an attacker.
Injection of malicious external protocol addresses leading to fund theft, oracle manipulation, or full protocol compromise.
An attacker can front-run the legitimate deployer and initialize the contract first.
Proxy contract is deployed.
initialize() has not yet been executed.
The attacker observes the deployment in the mempool.
The attacker calls initialize() first.
Ownership is permanently assigned to the attacker and malicious protocol addresses are stored.
Since initializer prevents re-initialization, the legitimate deployer cannot recover control.
The initialize() function should be restricted to a trusted deployer and include validation for all critical addresses. Additionally, when using OpenZeppelin upgradeable contracts, __Ownable_init() should be used instead of manually assigning ownership.
Restricting initialization prevents unauthorized ownership takeover.
Zero-address validation prevents accidental or malicious misconfiguration.
Using __Ownable_init() ensures proper upgradeable ownership initialization.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.