The init function that initializes important contract state can be called by anyone.
Impact
The attacker can initialize the contract before the legitimate deployer, hoping that the victim continues to use the same contract.
In the best case for the victim, they notice it and have to redeploy their contract costing gas.
Recommended Mitigation Steps
Use the constructor to initialize the contracts or make sure the owner is set in the constructor and the initializer can only be called by the legitimate deployer.
Alternatively, if using proxies, deploy contracts using a factory contract that immediately calls init after deployment.
dmvt
commented
3 years ago
Handle
@cmichelio
Vulnerability details
Vulnerability Details
The
initfunction that initializes important contract state can be called by anyone.Impact
The attacker can initialize the contract before the legitimate deployer, hoping that the victim continues to use the same contract. In the best case for the victim, they notice it and have to redeploy their contract costing gas.
Recommended Mitigation Steps
Use the constructor to initialize the contracts or make sure the owner is set in the constructor and the initializer can only be called by the legitimate deployer. Alternatively, if using proxies, deploy contracts using a factory contract that immediately calls
initafter deployment.