Initialize function in CErc20.sol no initializer modifier and can be invoked multiple times from the implementation contract. This means a compromised implementation can reinitialize the contract.
Vulnerability Detail
Initialize function need to be protected by the modifier initializer to make sure the contract can only be initialized once.
A malicious user can take advantage of the lack of initializer modifier and reinitialize the contract.
function initialize(address underlying_,
ComptrollerInterface comptroller_,
InterestRateModel interestRateModel_,
uint initialExchangeRateMantissa_,
string memory name_,
string memory symbol_,
uint8 decimals_) public {
// CToken initialize does the bulk of the work
super.initialize(comptroller_, interestRateModel_, initialExchangeRateMantissa_, name_, symbol_, decimals_);
// Set underlying and sanity check it
underlying = underlying_;
EIP20Interface(underlying).totalSupply();
}
Recommendation
Use the initializer modifier to protect the function from being reinitiated.
function initialize(address underlying_,
ComptrollerInterface comptroller_,
InterestRateModel interestRateModel_,
uint initialExchangeRateMantissa_,
string memory name_,
string memory symbol_,
uint8 decimals_) public initializer {
Summary
Initialize function in CErc20.sol no initializer modifier and can be invoked multiple times from the implementation contract. This means a compromised implementation can reinitialize the contract.
Vulnerability Detail
Initialize function need to be protected by the modifier
initializer
to make sure the contract can only be initialized once. A malicious user can take advantage of the lack ofinitializer
modifier and reinitialize the contract.Code Snippet
CErc20.sol
Recommendation
Use the initializer modifier to protect the function from being reinitiated.