Setting the admin in initialize initializeProxyAdmin can be frontrun by an attacker

[code423n4]

Handle

Jujic

Vulnerability details

Impact

The function initializeProxyAdmin() can be called by anyone the first time which allows an attacker to set the ProxyAdmin of the contract to themselves, leading to a denial of service attack.

Proof of Concept

https://github.com/unlock-protocol/unlock/blob/dda84f298e51ea37af514133e861052f21164b37/smart-contracts/contracts/Unlock.sol#L153

Tools Used

Recommended Mitigation Steps

Add access modifier.

[julien51]

If this was front-run we could easily re-deploy anyway?

[0xleastwood]

Agree with warden here. This can cause unintended consequences. It makes sense to call initializeProxyAdmin() from within initialize().