Initialize function no initializer modifier

[cvetanovv]

Summary

Initialize function in CErc20.sol no initializer modifier and can be invoked multiple times from the implementation contract. This means a compromised implementation can reinitialize the contract.

Vulnerability Detail

Initialize function need to be protected by the modifier initializer to make sure the contract can only be initialized once. A malicious user can take advantage of the lack of initializer modifier and reinitialize the contract.

Code Snippet

CErc20.sol

    function initialize(address underlying_,
                ComptrollerInterface comptroller_,
                InterestRateModel interestRateModel_,
                uint initialExchangeRateMantissa_,
                string memory name_,
                string memory symbol_,
                uint8 decimals_) public {

        // CToken initialize does the bulk of the work
        super.initialize(comptroller_, interestRateModel_, initialExchangeRateMantissa_, name_, symbol_, decimals_);

        // Set underlying and sanity check it
        underlying = underlying_;
        EIP20Interface(underlying).totalSupply();
    }

Recommendation

Use the initializer modifier to protect the function from being reinitiated.

    function initialize(address underlying_,
                ComptrollerInterface comptroller_,
                InterestRateModel interestRateModel_,
                uint initialExchangeRateMantissa_,
                string memory name_,
                string memory symbol_,
                uint8 decimals_) public initializer {

[maarcweiss]

Wrong severity. No user can re-initialize, only the owner, it is still an issue, but not severe:

https://github.com/LodestarFinance/lodestar-protocol/blob/807a166179ca5be52039d39316844d2a420eabce/contracts/CToken.sol#L35