search

code-423n4 / 2023-06-lukso-findings

3 stars 1 forks source link

initialize function can be front run #112

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-06-lukso/blob/main/contracts/LSP7DigitalAsset/extensions/LSP7CompatibleERC20InitAbstract.sol#L33 https://github.com/code-423n4/2023-06-lukso/blob/main/contracts/LSP8IdentifiableDigitalAsset/extensions/LSP8CompatibleERC721InitAbstract.sol#L61

Vulnerability details

Impact

Initialize function have the potential of front running by a malicious actor. An attacker can front-run the deployer and takeover the contract by setting itself as the owner in the Contract. Taking ownership will result in carrying out malicious acts that cause loss of funds for project and user.

Proof of Concept

  1. https://github.com/code-423n4/2023-06-lukso/blob/main/contracts/LSP7DigitalAsset/extensions/LSP7CompatibleERC20InitAbstract.sol#L33
  2. https://github.com/code-423n4/2023-06-lukso/blob/main/contracts/LSP8IdentifiableDigitalAsset/extensions/LSP8CompatibleERC721InitAbstract.sol#L61

Tools Used

Past relative audit reports.

  1. https://solodit.xyz/issues/initialization-functions-can-be-front-run-trailofbits-advanced-blockchain-pdf
  2. https://solodit.xyz/issues/possible-front-running-on-initialization-halborn-biconomy-bico-token-pdf

Recommended Mitigation Steps

Implement use of factory pattern to deploy and initialise contract with enhancing access control to the initialize functions.

Assessed type

Access Control

c4-pre-sort commented 1 year ago

minhquanym marked the issue as primary issue

c4-pre-sort commented 1 year ago

minhquanym marked the issue as low quality report

minhquanym commented 1 year ago

OOS in the winning bot race

c4-judge commented 1 year ago

trust1995 marked the issue as unsatisfactory: Out of scope