The `initialize()` function in multiple contracts can be front-run

[code423n4]

Lines of code

https://github.com/code-423n4/2023-07-lens/blob/main/contracts/FollowNFT.sol#L48-L56 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/misc/LegacyCollectNFT.sol#L45-L52

Vulnerability details

Impact

In FollowNFT.sol, LegacyCollectNFT.sol and CollectNFT.sol(out of scope) we have initialize().

This is an example from LegacyCollectNFT:

function initialize(uint256 profileId, uint256 pubId) external override { 
        if (_initialized) revert Errors.Initialized();
        _initialized = true;
        _setRoyalty(1000); // 10% of royalties
        _profileId = profileId;
        _pubId = pubId;
        // _name and _symbol remain uninitialized because we override the getters below
    }

This function finalizes the initialization of the contract by setting state variables for the contract and is designed to only be called once. But can be front-run by malicious user.

Proof of Concept

initialize() functions can only be called once during a setup phase. It is possible for a malicious user to call initialize() at the very beginning and set his address and other malicious variables.

Tools Used

Manual Review

Recommended Mitigation Steps

I think is better to add access control like onlyOwner to initialize() functions.

Assessed type

Governance

[c4-pre-sort]

141345 marked the issue as low quality report

[141345]

invalid

it's the logic contract

[donosonaumczuk]

We avoid redundant checks by design. This cannot be frontrunned given that is all done atomically in the same transaction, is the LensHub who is deploying AND initializing them.

[c4-sponsor]

donosonaumczuk marked the issue as sponsor disputed

[Picodes]

Out of Scope anyway with https://gist.github.com/thebrittfactor/3dc2ed1320de95e111a25c1744f4d33e#L-09

[c4-judge]

Picodes marked the issue as unsatisfactory: Out of scope