The initialize() function in XOLE.sol has a comment of "This function is not supposed to call multiple times" but it has no checks that prevent it from being called multiple times. An initialization function should only be possible to call once.
One side effect of this is that the XOLE.sol initializer function can overwrite the oleToken, devFundRatio, dev, and dexAgg values. This can result in unexpected edge cases, such as bypassing the requirement that devFundRatio <= 10000 in the setDevFundRatio() function.
Handle
sirhashalot
Vulnerability details
Impact
The
initialize()
function in XOLE.sol has a comment of "This function is not supposed to call multiple times" but it has no checks that prevent it from being called multiple times. An initialization function should only be possible to call once.One side effect of this is that the XOLE.sol initializer function can overwrite the oleToken, devFundRatio, dev, and dexAgg values. This can result in unexpected edge cases, such as bypassing the requirement that
devFundRatio <= 10000
in thesetDevFundRatio()
function.Proof of Concept
The
initialize()
function in XOLE.sol specifically states that it should not be called multiple times, but the code does not match the intent because there are no checks that prevent the initializer from being called twice or more.Recommended Mitigation Steps
Use the initializer modifier from OpenZeppelin or a similar piece of code to validate that the
initializer()
function is only callable once.