The setAddresses function that initializes important contract state can be called by anyone.
See:
WJLP.setAddresses
Impact
The attacker can initialize the contract before the legitimate deployer, hoping that the victim continues to use the same contract.
In the best case for the victim, they notice it and have to redeploy their contract costing gas.
kingyetifinance
commented
2 years ago
Handle
cmichel
Vulnerability details
The
setAddressesfunction that initializes important contract state can be called by anyone.See:
WJLP.setAddressesImpact
The attacker can initialize the contract before the legitimate deployer, hoping that the victim continues to use the same contract. In the best case for the victim, they notice it and have to redeploy their contract costing gas.
Recommended Mitigation Steps
Use the constructor to initialize the addresses.