search

code-423n4 / 2021-04-vader-findings

1 stars 0 forks source link

Init function can be called by everyone #18

Open code423n4 opened 3 years ago

code423n4 commented 3 years ago

Handle

gpersoon

Vulnerability details

Impact

Most of the solidity contracts have an init function that everyone can call. This could lead to a race condition when the contract is deployed. At that moment a hacker could call the init function and make the deployed contracts useless. Then it would have to be redeployed, costing a lot of gas.

Proof of Concept

DAO.sol: function init(address _vader, address _usdv, address _vault) public { Factory.sol: function init(address _pool) public { Pools.sol: function init(address _vader, address _usdv, address _router, address _factory) public { Router.sol: function init(address _vader, address _usdv, address _pool) public { USDV.sol: function init(address _vader, address _vault, address _router) external { Utils.sol: function init(address _vader, address _usdv, address _router, address _pools, address _factory) public { Vader.sol: function init(address _vether, address _USDV, address _utils) external { Vault.sol: function init(address _vader, address _usdv, address _router, address _factory, address _pool) public {

Tools Used

Editor

Recommended Mitigation Steps

Add a check to the init function, for example that only the deployer can call the function.

strictly-scarce commented 3 years ago

Yes, but only once. Could add a deployer check tho

dmvt commented 3 years ago

After considerable evaluation and seeing the wide range of threat factors that were put forward by wardens related to this issue, I've decided that the potential threat here does extend beyond gas.

A worst case scenario could cause significant damage.

It is extremely unlikely that an attacker could successfully time this type of attack.

An attacker would have to successfully intercept more than one init due to the highly coupled nature of the contract. If they did so incorrectly, the entire system would not function. Presuming they succeeded, the team would also have to overlook the failure of or forget to make multiple critical transaction calls in their deployment scripts. To realize significant financial gains, the attacker would have to leave their exploit code in place for an extended period of time.

The likelihood is extremely low, but the impact would be critical. For this reason, I'm normalizing all of these reports to a Medium Risk.