Evert0x
commented
3 years ago In all functions a similar check is used require(msg.sender == LibDiamond.contractOwner(), 'NOT_DEV');
Closed code423n4 closed 3 years ago
Evert0x
commented
3 years ago In all functions a similar check is used require(msg.sender == LibDiamond.contractOwner(), 'NOT_DEV');
Evert0x
commented
3 years ago The Diamond is deployed first, which sets the LibDiamond.contractOwner()
ghoul-sol
commented
3 years ago per sponsor comment, inavalid
Handle
cmichel
Vulnerability details
The
Gov.setInitialGovMain,Payout.setInitialGovPayout,SherXERC20.initializeSherXERC20functions that initialize important contract state can be called by anyone.Impact
The attacker can initialize the contract before the legitimate deployer, hoping that the victim continues to use the same contract. In the best case for the victim, they notice it and have to redeploy their contract costing gas.
Recommended Mitigation Steps
Maybe it's possible to atomically initialize the state of each facet when it becomes available? Otherwise, make sure to call it immediately after deployment and verify the transaction succeeded.