The Gov.setInitialGovMain, Payout.setInitialGovPayout, SherXERC20.initializeSherXERC20 functions that initialize important contract state can be called by anyone.
Impact
The attacker can initialize the contract before the legitimate deployer, hoping that the victim continues to use the same contract.
In the best case for the victim, they notice it and have to redeploy their contract costing gas.
Recommended Mitigation Steps
Maybe it's possible to atomically initialize the state of each facet when it becomes available?
Otherwise, make sure to call it immediately after deployment and verify the transaction succeeded.
Handle
cmichel
Vulnerability details
The
Gov.setInitialGovMain
,Payout.setInitialGovPayout
,SherXERC20.initializeSherXERC20
functions that initialize important contract state can be called by anyone.Impact
The attacker can initialize the contract before the legitimate deployer, hoping that the victim continues to use the same contract. In the best case for the victim, they notice it and have to redeploy their contract costing gas.
Recommended Mitigation Steps
Maybe it's possible to atomically initialize the state of each facet when it becomes available? Otherwise, make sure to call it immediately after deployment and verify the transaction succeeded.