Closed code423n4 closed 2 years ago
The treasury contract was listed as out of scope.
Additionally, the deploy scripts we use will set the proxy's implementation address and call initialize in a single transaction -- preventing the frontrun described here. Even if we were to deploy a fresh stack it should be safe.
Agree with the sponsor. Treasury's out of scope, deploy script usually handles frontrunning of initializations.
Lines of code
https://github.com/code-423n4/2022-08-foundation/blob/792e00df42/contracts/FoundationTreasury.sol#L66-L68
Vulnerability details
Impact / Proof of Concept
In
contracts/FoundationTreasury.sol
, an attacker can frontrun a call toinitialize
to register as an admin. If the address of thistreasury
is shared or is already shared withNFTDropMarket
's constructor (line 83), then on line 87,FoundationTreasuryNode
registers thistreasury
andMarketFees
will send all the protocol fees to thistreasury
which can be drained by the attacker anytime. The attacker would only need to callwithdrawFunds
fromCollateralManagement
on line 36Tools Used
N/A
Recommended Mitigation Steps
Either set an admin for
contracts/FoundationTreasury.sol
in its constructor or restrict access toinitialize
method of this contract to a certain contract or EOA. Also, make sure the admins are actually approved admins before sharing thetreasury
address with other contracts such asMarketFees
contract.