GalloDaSballo
commented
2 years ago Looks valid, unclear if a re-deploy would be sufficient (QA maybe?)
Closed code423n4 closed 2 years ago
GalloDaSballo
commented
2 years ago Looks valid, unclear if a re-deploy would be sufficient (QA maybe?)
albertchon
commented
2 years ago Valid report, but downgrading to QA, as it would easily be detected by the deployer.
Lines of code
https://github.com/code-423n4/2022-02-anchor/blob/7af353e3234837979a19ddc8093dc9ad3c63ab6b/contracts%2Fmoney-market-contracts%2Fcontracts%2Fmarket%2Fsrc%2Fcontract.rs#L259
Vulnerability details
Impact
The
register_contractsfunction has no authorization checks except that the value has never been initialized. Anyone can immediately call this function after deployment with a malicious token.The attacker can initialize the contract before the legitimate deployer, hoping that the victim continues to use the same contract. This will lead to them controlling the governance. In the best case for the victim, they notice it and have to redeploy their contract costing transaction fees.
Recommended Mitigation Steps
Can it be initialized in the
instantiatefunction?