code-423n4 / 2022-02-anchor-findings

0 stars 0 forks source link

Money markets: `register_contracts` can be frontrun #36

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-02-anchor/blob/7af353e3234837979a19ddc8093dc9ad3c63ab6b/contracts%2Fmoney-market-contracts%2Fcontracts%2Fmarket%2Fsrc%2Fcontract.rs#L259

Vulnerability details

Impact

The register_contracts function has no authorization checks except that the value has never been initialized. Anyone can immediately call this function after deployment with a malicious token.

The attacker can initialize the contract before the legitimate deployer, hoping that the victim continues to use the same contract. This will lead to them controlling the governance. In the best case for the victim, they notice it and have to redeploy their contract costing transaction fees.

Recommended Mitigation Steps

Can it be initialized in the instantiate function?

GalloDaSballo commented 2 years ago

Looks valid, unclear if a re-deploy would be sufficient (QA maybe?)

albertchon commented 2 years ago

Valid report, but downgrading to QA, as it would easily be detected by the deployer.