The initialize() function in OpenLevV1.sol has a comment of "This function is not supposed to call multiple times" but it has no checks that prevent it from being called multiple times. An initialization function should only be possible to call once. One side effect of this is that the OpenLevV1.sol initializer function can overwrite the values of the addressConfig struct with the initializer, a potentially unexpected condition.
Handle
sirhashalot
Vulnerability details
Impact
The
initialize()
function in OpenLevV1.sol has a comment of "This function is not supposed to call multiple times" but it has no checks that prevent it from being called multiple times. An initialization function should only be possible to call once. One side effect of this is that the OpenLevV1.sol initializer function can overwrite the values of the addressConfig struct with the initializer, a potentially unexpected condition.Proof of Concept
The
initialize()
function in OpenLevV1.sol specifically states that it should not be called multiple times, but the code does not match the intent because there are no checks that prevent the initializer from being called twice or more.Recommended Mitigation Steps
Use the initializer modifier from OpenZeppelin or a similar piece of code to validate that the
initializer()
function is only callable once.