code-423n4 / 2021-06-pooltogether-findings

0 stars 0 forks source link

`initialize` functions cam be frontrun #82

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

cmichel

Vulnerability details

The initialize function that initializes important contract state can be called by anyone.

Occurences:

Impact

The attacker can initialize the contract before the legitimate deployer, hoping that the victim continues to use the same contract. In the best case for the victim, they notice it and have to redeploy their contract costing gas.

Recommended Mitigation Steps

Use the constructor to initialize non-proxied contracts. For initializing proxy contracts deploy contracts using a factory contract that immediately calls initialize after deployment or make sure to call it immediately after deployment and verify the transaction succeeded.

asselstine commented 3 years ago

We use proxy factories to instantiate the contract, so they can't be front-run.

dmvt commented 3 years ago

Closed per comment from sponsor that recommended mitigation was already in place before the report