Open ptisserand opened 3 days ago
Can I be assigned when od hack starts please! @ptisserand
I am applying to this issue via OnlyDust platform.
I'm Poulav Bhowmick, a software engineer at Invisible Studios with a robust background in TypeScript, Rust, Solidity Cairo, fullstack development and blockchain technology. My experience includes building robust applications, optimizing functionalities and blockchain integration. I have actively participated in events and open source contributions, enhancing my capability to tackle real-world tech challenges. My projects can be viewed on my GitHub Profile and OnlyDust Profile. Plus I´m active member of Starknet, Ethereum ecosystem.
I will resolve this issue by taking the following approach:
Adding _disableInitializers()
to the Bridge Constructor:
_disableInitializers()
, ensuring that the contract can only be initialized once.Example:
constructor() {
_disableInitializers();
}
This will ensure that the implementation contract is protected from further initialization once it is deployed.
Reviewing Starklane and Bridge Contracts:
_disableInitializers()
is called in any other contract that is deployed via a proxy to avoid similar vulnerabilities.Writing Unit Tests:
initialize()
should revert.initialize()
and confirm that they are unable to pass arbitrary arguments due to _disableInitializers()
being triggered.Example test case:
function testCannotInitializeAfterDeployment() public {
vm.expectRevert("Initializers are disabled");
bridge.initialize(/* malicious arguments */);
}
Manual and Automated Testing:
By following these steps, I’ll make sure the Bridge contract is protected against unauthorized initialization, and I will ensure that robust tests are in place to confirm the fix. ETA - 1 day
I am applying to this issue via OnlyDust platform.
i'm a solidity and cairo smart contract developer with over 2 years experience and believe i have the skill set for the task and i am also very good with smart contract testing
would create a private disableinitializer function with the needed logic and call it in the constructor
I am applying to this issue via OnlyDust platform.
I'm a Solidity adn cairo developer specializing in NFT marketplaces and decentralized apps, with experience in multi-token support and integrating blockchain protocols. My work on projects like Worldcoin-Bridge-Linea equips me to handle tasks like adding ERC-20 support efficiently.
To handle the missing _disableInitializers
in the Bridge’s constructor:
_disableInitializers()
** call in the Bridge constructor to prevent unauthorized initialization.I am applying to this issue via OnlyDust platform.
Good Morning ArkProject, My name is Deon and I'd like to apply formally for the task presented. I am a Web and blockchain engineer with a passion for building user interfaces and Dapps that deliver meaningful experiences. With a background in Computer Science (BSc) and hands-on experience. If given the chance to contribute this will be my second official contribution via onlydust and I'm confident in my ability to deliver on the feature you're looking for.
I will employ the following approach to ensure disableInitializers is called to prevent uninitialized contracts from being exploited:
Understand the Contract Initialization Flow: I will review the Starklane contract’s initialization process, focusing on how the proxy pattern interacts with the implementation contract. This will help ensure that the proxy’s implementation contract cannot be initialized multiple times or taken over by an attacker.
Add disableInitializers() to the Constructor: I will update the Starklane contract’s constructor to include a call to disableInitializers(). This will lock the contract's initialization function, preventing any further calls to initialize, which could otherwise be exploited by an attacker to set arbitrary values.
Write Unit Tests for Verification: I will write unit tests to ensure that after deployment, the initialize function cannot be called on the implementation contract. These tests will confirm that calling initialize post-deployment throws an error, validating that the contract has been correctly locked.
Comprehensive Coverage: I will ensure that the solution applies across the entire upgradeable contract lifecycle, preventing any misuse of the initialization function and securing the proxy pattern implementation.
The maintainer ptisserand has assigned PoulavBhowmick03 to this issue via OnlyDust Platform. Good luck!
From https://codehawks.cyfrin.io/c/2024-07-ark-project/s/181
Summary
disableinitializers
is not called in Starklane’s constructordetails
An uninitialized contract can be taken over by an attacker. This applies to both a proxy and its implementation contract, which may impact the proxy. But in the case of the implementation contract, a
disableinitializers()
is necessary to be called in the constructor. This is because when the Bridge contract is deployed and initialized, the initialize method on the newly created proxy's implementation contract is never called. As such, anyone can call that method and pass in whatever values they want as argumentsUnit test must be provided.