The register_contracts function has no authorization checks except that the value has never been initialized.
Anyone can immediately call this function after deployment with a malicious token.
The attacker can initialize the contract before the legitimate deployer, hoping that the victim continues to use the same contract.
This will lead to them controlling the governance.
In the best case for the victim, they notice it and have to redeploy their contract costing transaction fees.
Recommended Mitigation Steps
Can it be initialized in the instantiate function?
Lines of code
https://github.com/code-423n4/2022-02-anchor/blob/7af353e3234837979a19ddc8093dc9ad3c63ab6b/contracts%2Fmoney-market-contracts%2Fcontracts%2Fmarket%2Fsrc%2Fcontract.rs#L259
Vulnerability details
Impact
The
register_contracts
function has no authorization checks except that the value has never been initialized. Anyone can immediately call this function after deployment with a malicious token.The attacker can initialize the contract before the legitimate deployer, hoping that the victim continues to use the same contract. This will lead to them controlling the governance. In the best case for the victim, they notice it and have to redeploy their contract costing transaction fees.
Recommended Mitigation Steps
Can it be initialized in the
instantiate
function?