Open code423n4 opened 2 years ago
hyh
Being instantiated with wrong configuration the contract will be inoperable.
If a misconfiguration is noticed too late the various types of malfunctions become possible.
RocketJoeStaking.initialize doesn't check input parameters, which are immutable due to initializer pattern:
https://github.com/code-423n4/2022-01-trader-joe/blob/main/contracts/RocketJoeStaking.sol#L72-75
Consider checking joe, rJoe addresses and lastRewardTimestamp to be non-zero and also checking rJoePerSec to be within pre specified bounds
https://github.com/traderjoe-xyz/rocket-joe/pull/76 https://github.com/traderjoe-xyz/rocket-joe/commit/e2413316240100e018b6f4d883ae62186c85cd4a
Handle
hyh
Vulnerability details
Impact
Being instantiated with wrong configuration the contract will be inoperable.
If a misconfiguration is noticed too late the various types of malfunctions become possible.
Proof of Concept
RocketJoeStaking.initialize doesn't check input parameters, which are immutable due to initializer pattern:
https://github.com/code-423n4/2022-01-trader-joe/blob/main/contracts/RocketJoeStaking.sol#L72-75
Recommended Mitigation Steps
Consider checking joe, rJoe addresses and lastRewardTimestamp to be non-zero and also checking rJoePerSec to be within pre specified bounds