No access control allows frontrunning of Manager.initialize()

[code423n4]

Lines of code

https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/manager/Manager.sol#L80-L86

Vulnerability details

Impact

Not sure if I should have this in two seperate reports as two issues affects the same function.

1. There is no access control on Manager.initialize(), so anyone can be the first to call the function and become the owner of Manager contract
2. Since there is no access control, anyone frontrun the initialize() call and become the owner.

Proof of Concept

https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/manager/Manager.sol#L80-L86

Tools Used

Manual review

Recommended Mitigation Steps

Implement proper access control

[GalloDaSballo]

Dup of https://github.com/code-423n4/2022-09-nouns-builder-findings/issues/659

[GalloDaSballo]

L