GalloDaSballo
commented
2 years ago Masively disagree with this finding, you can deploy an upgradeable proxy and call initializer on the same tx, you can't frontrun and no-one can call it after you do
Closed code423n4 closed 2 years ago
GalloDaSballo
commented
2 years ago Masively disagree with this finding, you can deploy an upgradeable proxy and call initializer on the same tx, you can't frontrun and no-one can call it after you do
0xleastwood
commented
2 years ago Agree with sponsor, marking invalid.
Handle
WatchPug
Vulnerability details
The initializer functions that initialize important contract states can be called by anyone.
Impact
The attacker can initialize the contract before the legitimate deployer, hoping that the victim continues to use the same contract.
In the best case for the victim, they notice it and have to redeploy their contract costing gas.
Recommendation
Use the constructor to initialize non-proxied contracts.
For initializing proxy contracts deploy contracts using a factory contract that immediately calls initialize after deployment or make sure to call it immediately after deployment and verify the transaction succeeded.
https://github.com/Badger-Finance/ibbtc/blob/d8b95e8d145eb196ba20033267a9ba43a17be02c/contracts/Zap.sol#L46-L82
https://github.com/Badger-Finance/badger-ibbtc-utility-zaps/blob/a5c71b72222d84b6414ca0339ed1761dc79fe56e/contracts/SettToRenIbbtcZap.sol#L50-L101
https://github.com/Badger-Finance/badger-ibbtc-utility-zaps/blob/a5c71b72222d84b6414ca0339ed1761dc79fe56e/contracts/IbbtcVaultZap.sol#L49-L87