Closed code423n4 closed 2 years ago
wuwe1
There is no check on status of initializing.
https://github.com/code-423n4/2022-01-openleverage/blob/main/openleverage-contracts/contracts/ControllerV1.sol#L33-L50
If deployer set admin_ to be the same address as msg.sender, then initialize can be called multiple times by calling delegateToImplementation directly.
admin_
msg.sender
initialize
delegateToImplementation
https://github.com/code-423n4/2022-01-openleverage/blob/main/openleverage-contracts/contracts/ControllerDelegator.sol#L34
The same problem occurs in OpenLevV1, XOLE and LPool as well.
https://github.com/code-423n4/2022-01-openleverage/blob/main/openleverage-contracts/contracts/OpenLevV1.sol#L38-L56
https://github.com/code-423n4/2022-01-openleverage/blob/main/openleverage-contracts/contracts/OpenLevDelegator.sol#L23-L37
https://github.com/code-423n4/2022-01-openleverage/blob/main/openleverage-contracts/contracts/XOLE.sol#L40-L53
https://github.com/code-423n4/2022-01-openleverage/blob/main/openleverage-contracts/contracts/XOLEDelegator.sol#L24-L36
https://github.com/code-423n4/2022-01-openleverage/blob/main/openleverage-contracts/contracts/liquidity/LPool.sol#L38
Add a variable bool initialized
bool initialized
Set initialized to be true in the implementation contract's initialize function
initialized
Set initialized to be false in the delegator contract's setImplementation function
setImplementation
Duplicate to #67
Handle
wuwe1
Vulnerability details
Proof of Concept
There is no check on status of initializing.
https://github.com/code-423n4/2022-01-openleverage/blob/main/openleverage-contracts/contracts/ControllerV1.sol#L33-L50
If deployer set
admin_
to be the same address asmsg.sender
, theninitialize
can be called multiple times by callingdelegateToImplementation
directly.https://github.com/code-423n4/2022-01-openleverage/blob/main/openleverage-contracts/contracts/ControllerDelegator.sol#L34
The same problem occurs in OpenLevV1, XOLE and LPool as well.
https://github.com/code-423n4/2022-01-openleverage/blob/main/openleverage-contracts/contracts/OpenLevV1.sol#L38-L56
https://github.com/code-423n4/2022-01-openleverage/blob/main/openleverage-contracts/contracts/OpenLevDelegator.sol#L23-L37
https://github.com/code-423n4/2022-01-openleverage/blob/main/openleverage-contracts/contracts/XOLE.sol#L40-L53
https://github.com/code-423n4/2022-01-openleverage/blob/main/openleverage-contracts/contracts/XOLEDelegator.sol#L24-L36
https://github.com/code-423n4/2022-01-openleverage/blob/main/openleverage-contracts/contracts/liquidity/LPool.sol#L38
Recommended Mitigation Steps
Add a variable
bool initialized
Set
initialized
to be true in the implementation contract'sinitialize
functionSet
initialized
to be false in the delegator contract'ssetImplementation
function