A permissionless, trustless, and decentralized growth engine for protocol and application developers. It enables developers to bootstrap their projects by leveraging the power of community and the network effect.
Summary
BoostCore.sol will always be set as the owner of Boost provided incentive contracts because the initializer is called here within _makeIncentives. Therefore any function using the onlyOwner modifier within the incentive contracts must be called by BoostCore. For example, there is no way to call drawRaffle or clawback from the BoostCore contract.
Expected Behavior
No response
Steps To Reproduce
Root Cause
createBoost is called to create a new boost. Each incentive is initialized by the call to _makeIncentives. Within _makeIncentives the initializer is called for each incentive. The initializer function within each incentive contract sets the owner as msg.sender which would be the BoostCore contract.
Internal pre-conditions
Boost is created using the out of the box incentive contract as one of the incentives including: ERC20Incentive, CGDAIncentive, ERC20VariableIncentive, and ERC1155Incentive
External pre-conditions
No response
Attack Path
User calls createBoost to create a new Boost
They choose to use an out of the box incentive contract listed above
They are initialized with BoostCore as the owner
Impact
No winner can be drawn for raffle contests through ERC20Incentive contract
Any funds in the contract that need to be rescued cannot be retrieved through clawback
PoC
Link to Minimal Reproducible Example (StackBlitz, CodeSandbox, GitHub repo etc.)
Is there an existing issue for this?
Package Version
0.0.0-alpha.12
Current Behavior
Summary BoostCore.sol will always be set as the owner of Boost provided incentive contracts because the initializer is called here within _makeIncentives. Therefore any function using the onlyOwner modifier within the incentive contracts must be called by BoostCore. For example, there is no way to call drawRaffle or clawback from the BoostCore contract.
Expected Behavior
No response
Steps To Reproduce
Root Cause createBoost is called to create a new boost. Each incentive is initialized by the call to _makeIncentives. Within _makeIncentives the initializer is called for each incentive. The initializer function within each incentive contract sets the owner as msg.sender which would be the BoostCore contract.
Internal pre-conditions Boost is created using the out of the box incentive contract as one of the incentives including: ERC20Incentive, CGDAIncentive, ERC20VariableIncentive, and ERC1155Incentive External pre-conditions No response
Attack Path User calls createBoost to create a new Boost They choose to use an out of the box incentive contract listed above They are initialized with BoostCore as the owner Impact No winner can be drawn for raffle contests through ERC20Incentive contract Any funds in the contract that need to be rescued cannot be retrieved through clawback PoC
Link to Minimal Reproducible Example (StackBlitz, CodeSandbox, GitHub repo etc.)
https://github.com/sherlock-audit/2024-06-boost-aa-wallet-judging/issues/43
Anything else?
No response