The initialization status is defined by the name and symbol. It is possible it set them back to an empty string, uninitializing the contract and letting the initialize(..) function be called again. This way, the owner may, for example, hide minting additional tokens. Or, after accidentally setting name and symbol to empty strings, anyone can take control over the contract and mint any number of tokens.
In general, it shouldn't be possible to initialize more than once.
Tools Used
Manual analysis
Recommended Mitigation Steps
Consider adding empty string checks in setName(...) and setSymbol(...) functions.
Handle
Czar102
Vulnerability details
Impact
The initialization status is defined by the name and symbol. It is possible it set them back to an empty string, uninitializing the contract and letting the
initialize(..)
function be called again. This way, the owner may, for example, hide minting additional tokens. Or, after accidentally setting name and symbol to empty strings, anyone can take control over the contract and mint any number of tokens.In general, it shouldn't be possible to initialize more than once.
Tools Used
Manual analysis
Recommended Mitigation Steps
Consider adding empty string checks in
setName(...)
andsetSymbol(...)
functions.