search

code-423n4 / 2021-09-defiprotocol-findings

1 stars 0 forks source link

Initialize function of Basket can be invoked multiple times #74

Closed code423n4 closed 2 years ago

code423n4 commented 3 years ago

Handle

loop

Vulnerability details

The initialize function in Basket has no safeguard for getting invoked again after Basket has been initialized from Factory.

Impact

State variables of the basket can be overwritten.

Proof of Concept

The inititalize function sets most of the state variables: `function initialize(IFactory.Proposal memory proposal, IAuction auction) public override { publisher = proposal.proposer; licenseFee = proposal.licenseFee; factory = IFactory(msg.sender); auction = auction; ibRatio = BASE; tokens = proposal.tokens; weights = proposal.weights; approveUnderlying(address(auction));

    __ERC20_init(proposal.tokenName, proposal.tokenSymbol);

}` Creating a contract using IFactory a custom proposal can be passed to the initialize function overwriting the state variables of the Basket contract.

Recommended Mitigation Steps

Use initialized boolean similar to initialize function in Auction: function initialize(address basket_, address factory_) public override { require(!initialized); basket = IBasket(basket_); factory = IFactory(factory_); initialized = true; }

frank-beard commented 3 years ago

https://github.com/code-423n4/2021-09-defiprotocol-findings/issues/182

GalloDaSballo commented 2 years ago

Duplicate of #50