GalloDaSballo
commented
2 years ago The function can be frontrun, a typical way to avoid that is to have a constructor which sets the msg.sender to the only account that can call initialize
An alternative mitigation is to use UpgradeableProxies (from OZ) which allow to deploy and initialize in the same tx, making it impossible to be frontrun.
Will downgrade to low severity
Handle
jah
Vulnerability details
Impact
As the initialize function is pubic it can be called by anyone and it can be front run by a hacker
Proof of Concept
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Basket.sol#L36
Tools Used
Manual analysis
Recommended Mitigation Steps
call the initialize function in the constructor