ghoul-sol
commented
3 years ago To my understanding ListFactory is part of original deployment so I guess that developers would see misconfigured system before releasing it to production. Also, front running deployments is quite rare with an exception of Curve DAO of course. Low risk.
Handle
hrkrshnn
Vulnerability details
An adversarial attacker can initialize ListFactory
The ListFactory contract has a default constructor. However, the proper initialization of state variables is done in initListFactor. This makes it vulnerable to front-running as well as a targeted attack by an adversary.
Here is an example flow of events:
ListFactoryListFactory.initListFactory(_accessControls, _pointListTemplate, _minimumFee)._accessControls,_pointListTemplateand_minimumFeeto whatever they please.initListFactoryreverts.If Alice is not careful enough to check if their call succeeded, then they might use an incorrectly initialized
ListFactorycontract.A second flow of events:
ListFactorycreatetx with bytecode that matches the bytecode ofListFactory(Bob has to plan this in advance).ListFactory.initListFactory(_accessControls, _pointListTemplate, _minimumFee)to immediately follow Alice'sListFactorydeployment. Tools such as flashbots allow doing this precisely.Alice's deployed contract is now useless, since the parameters were initialized by Bob. Bob can effectively deny Alice from deploying a useful version of
ListFactory.Note that there are several other places, where this pattern is used, for example in MISOAccessFactory (generally, function names that match
init*would all fall under this category.)Recommended Mitigation Steps
accessControlsandpointListTemplatecan be madeimmutable.ListFactoryfrom another smart contract using acreatecall, followed byinitListFactory(...)in the same transaction.If the latter approach is used, consider explicitly specifying this in the contract documentation.