Initialize() , Initializes important contract state that can be called by anyone. Since it lacks an access modifier, an attacker can initialize the contract before the legitimate deployer. The attacker, hoping that the victim continues to use the same contract, can hijack the victims POAP. In the best case scenario, the target would notice this falsely deployed contract and redeploy their legitimate contract, but this costs them gas.
Proof of Concept
contracts which uses initialize(), they all lack access modifier
Tools Used
manual review
Recommended Mitigation Steps
add access control or use constructor to initialize the non-proxy contracts
Handle
JMukesh
Vulnerability details
Impact
Initialize() , Initializes important contract state that can be called by anyone. Since it lacks an access modifier, an attacker can initialize the contract before the legitimate deployer. The attacker, hoping that the victim continues to use the same contract, can hijack the victims POAP. In the best case scenario, the target would notice this falsely deployed contract and redeploy their legitimate contract, but this costs them gas.
Proof of Concept
contracts which uses initialize(), they all lack access modifier
Tools Used
manual review
Recommended Mitigation Steps
add access control or use constructor to initialize the non-proxy contracts