Detailed description of the impact of this finding.
Proof of Concept
Function initializeManager is for initializing the safemanager address of the vault contract . However lack of access control makes it vulnerable to fronrunning attacks . safemanager is the only authorized contract to mint safes in the vault contract .
function initializeManager() external {
if (address(safeManager) == address(0)) _setSafeManager(msg.sender);
}
A malicious frontrunner can take advantages of this by below steps :
At first he'll frontrun the initializeManager function to gain the authority to mint safes .
call the build function to create a proxy for his account .
Now , calling mint function and mint as many safes of any safeId as he want .
Although , Governance can regain control of safemanager by calling setSafeManager .
But , This attack will DOS the minting of actual safemanager as some of the safes are previously minted by the attacker as SAFEs are minted sequentially .
Tools Used
Manual Review .
Recommended Mitigation Steps
Add a onlyGovernor modifier to the initializeManager funciton .
Lines of code
https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/contracts/proxies/Vault721.sol#L56
Vulnerability details
Impact
Detailed description of the impact of this finding.
Proof of Concept
Function
initializeManager
is for initializing the safemanager address of the vault contract . However lack of access control makes it vulnerable to fronrunning attacks . safemanager is the only authorized contract to mint safes in the vault contract .A malicious frontrunner can take advantages of this by below steps :
build
function to create a proxy for his account .mint
function and mint as many safes of any safeId as he want .Although , Governance can regain control of safemanager by calling
setSafeManager
. But , This attack will DOS the minting of actual safemanager as some of the safes are previously minted by the attacker as SAFEs are minted sequentially .Tools Used
Manual Review .
Recommended Mitigation Steps
Add a
onlyGovernor
modifier to theinitializeManager
funciton .Assessed type
Access Control