JasoonS
commented
3 years ago We use open-zeppelin scripts todo this automatically.
Additionally we initialize the base implementations too to prevent any foul play by pranksters.
Open code423n4 opened 3 years ago
JasoonS
commented
3 years ago We use open-zeppelin scripts todo this automatically.
Additionally we initialize the base implementations too to prevent any foul play by pranksters.
0xean
commented
3 years ago Given that the contest didn't include the scope of the scripts and that this is a risk in the contract implementation without a factory I believe this is a valid risk even if the sponsor believes its mitigated.
Handle
0xRajeev
Vulnerability details
Impact
Race-condition risk with initialize functions if deployment script is not robust to create and initialize contracts atomically or if factory contracts do not create and initialize appropriately.
If this is not implemented correctly, an attacker can front-run to initialize contracts with their parameters. This, if noticed, will require a redeployment of contracts resulting in potential DoS and reputational damage.
Proof of Concept
https://github.com/code-423n4/2021-08-floatcapital/blob/bd419abf68e775103df6e40d8f0e8d40156c2f81/contracts/contracts/LongShort.sol#L188-L193
https://github.com/code-423n4/2021-08-floatcapital/blob/bd419abf68e775103df6e40d8f0e8d40156c2f81/contracts/contracts/FloatToken.sol#L21-L25
https://github.com/code-423n4/2021-08-floatcapital/blob/bd419abf68e775103df6e40d8f0e8d40156c2f81/contracts/contracts/Staker.sol#L179-L186
Tools Used
Manual Analysis
Recommended Mitigation Steps
Ensure deployment script is robust to create and initialize contracts atomically or factory contracts create and initialize appropriately.