Initialize function have the potential of front running by a malicious actor. An attacker can front-run the deployer and takeover the contract by setting itself as the owner in the Contract. Taking ownership will result in carrying out malicious acts that cause loss of funds for project and user.
Lines of code
https://github.com/code-423n4/2023-06-lukso/blob/main/contracts/LSP7DigitalAsset/extensions/LSP7CompatibleERC20InitAbstract.sol#L33 https://github.com/code-423n4/2023-06-lukso/blob/main/contracts/LSP8IdentifiableDigitalAsset/extensions/LSP8CompatibleERC721InitAbstract.sol#L61
Vulnerability details
Impact
Initialize function have the potential of front running by a malicious actor. An attacker can front-run the deployer and takeover the contract by setting itself as the owner in the Contract. Taking ownership will result in carrying out malicious acts that cause loss of funds for project and user.
Proof of Concept
Tools Used
Past relative audit reports.
Recommended Mitigation Steps
Implement use of factory pattern to deploy and initialise contract with enhancing access control to the initialize functions.
Assessed type
Access Control