`setAddresses()` functions can be front run

[code423n4]

Handle

WatchPug

Vulnerability details

The WJLP.sol#setAddresses() function that initializes important contract state can be called by anyone.

Impact

The attacker can initialize the contract before the legitimate deployer, hoping that the victim continues to use the same contract.

In the best case for the victim, they notice it and have to redeploy their contract costing gas.

Recommendation

Consider using the constructor to initialize non-proxied contracts.

Or, make sure to call it immediately after deployment and verify the transaction succeeded.

https://github.com/code-423n4/2021-12-yetifinance/blob/5f5bf61209b722ba568623d8446111b1ea5cb61c/packages/contracts/contracts/AssetWrappers/WJLP/WJLP.sol#L102-L117

function setAddresses(
    address _activePool,
    address _TML,
    address _TMR,
    address _defaultPool,
    address _stabilityPool,
    address _YetiFinanceTreasury) external {
    require(!addressesSet);
    activePool = _activePool;
    TML = _TML;
    TMR = _TMR;
    defaultPool = _defaultPool;
    stabilityPool = _stabilityPool;
    YetiFinanceTreasury = _YetiFinanceTreasury;
    addressesSet = true;
}

[kingyetifinance]

@LilYeti: Duplicate #105