Open code423n4 opened 3 years ago
To my understanding ListFactory
is part of original deployment so I guess that developers would see misconfigured system before releasing it to production. Also, front running deployments is quite rare with an exception of Curve DAO of course. Low risk.
Handle
hrkrshnn
Vulnerability details
An adversarial attacker can initialize ListFactory
The ListFactory contract has a default constructor. However, the proper initialization of state variables is done in initListFactor. This makes it vulnerable to front-running as well as a targeted attack by an adversary.
Here is an example flow of events:
ListFactory
ListFactory.initListFactory(_accessControls, _pointListTemplate, _minimumFee)
._accessControls
,_pointListTemplate
and_minimumFee
to whatever they please.initListFactory
reverts.If Alice is not careful enough to check if their call succeeded, then they might use an incorrectly initialized
ListFactory
contract.A second flow of events:
ListFactory
create
tx with bytecode that matches the bytecode ofListFactory
(Bob has to plan this in advance).ListFactory.initListFactory(_accessControls, _pointListTemplate, _minimumFee)
to immediately follow Alice'sListFactory
deployment. Tools such as flashbots allow doing this precisely.Alice's deployed contract is now useless, since the parameters were initialized by Bob. Bob can effectively deny Alice from deploying a useful version of
ListFactory
.Note that there are several other places, where this pattern is used, for example in MISOAccessFactory (generally, function names that match
init*
would all fall under this category.)Recommended Mitigation Steps
accessControls
andpointListTemplate
can be madeimmutable
.ListFactory
from another smart contract using acreate
call, followed byinitListFactory(...)
in the same transaction.If the latter approach is used, consider explicitly specifying this in the contract documentation.