A MALICIOUS USER CAN FRONT RUN AND EXECUTE THE `Tokenomics.initializeTokenomics` TRANSACTION TO BECOME THE OWNER OF THE `Tokenomics` CONTRACT

[c4-bot-4]

Lines of code

https://github.com/code-423n4/2023-12-autonolas/blob/main/tokenomics/contracts/Tokenomics.sol#L264-L280 https://github.com/code-423n4/2023-12-autonolas/blob/main/tokenomics/contracts/Tokenomics.sol#L236-L237

Vulnerability details

Impact

The Tokenomics.initializeTokenomics is an external function which can be called by anyone, Since there is no access control. Hence a malicious user can front-run the valid initialization transaction and become the owner of the Tokenomics contract.

This is because the Tokenomics contract is expected to be initialized no later than one year from the launch of the OLAS token contract. And anyone can call the initializeTokenomics function and become the owner of the contract as long as the owner is not set at the time of the initializeTokenomics function call as shown below:

    // Check if the contract is already initialized
    if (owner != address(0)) {
        revert AlreadyInitialized();
    } 

Hence a malicious user can easily front-run and become the owner of the Tokenomics contract. The subsequent Tokenomics.initializeTokenomics transaction by the autonolas protocol will revert since the owner is already set by the time it is being executed.

The malicious user can pass in input parameters which passes the input validation checks in the initializeTokenomics function, for input addresses and the _epochLen values. As a result the owner of the Tokenomics contract can be set to a malicious address. This will allow the malicious user to control the owner controlled functions such as Tokenomics.changeTokenomicsImplementation, Tokenomics.changeManagers, Tokenomics.changeRegistries, Tokenomics.changeDonatorBlacklist, Tokenomics.changeTokenomicsParameters and Tokenomics.changeIncentiveFractions. Even if the autonolas protocol tries to redploy and initialize the Tokenomics contract, the malicious user can keep on front-running the valid Tokenomics.initializeTokenomics transaction and become the owner of the Tokenomics contract maliciously.

As a result the Tokenomics contract will not be able to be used in the autonolas protocol since the malicious owner set tokenomics parameters are wrong and should not be used for transactions. This breaks the proper execution of the autonolas protocol.

Proof of Concept

    function initializeTokenomics(
        address _olas,
        address _treasury,
        address _depository,
        address _dispenser,
        address _ve,
        uint256 _epochLen,
        address _componentRegistry,
        address _agentRegistry,
        address _serviceRegistry,
        address _donatorBlacklist
    ) external
    {
        // Check if the contract is already initialized
        if (owner != address(0)) {
            revert AlreadyInitialized();
        }

https://github.com/code-423n4/2023-12-autonolas/blob/main/tokenomics/contracts/Tokenomics.sol#L264-L280

    /// @dev Tokenomics initializer.
    /// @notice Tokenomics contract must be initialized no later than one year from the launch of the OLAS token contract.

https://github.com/code-423n4/2023-12-autonolas/blob/main/tokenomics/contracts/Tokenomics.sol#L236-L237

Tools Used

Manual Review and VSCode

Recommended Mitigation Steps

Hence it is recommended to use access control such that only a authorized address can call the initializeTokenomics function to initialize the Tokenomics contract and become the valid owner of the contract within one year from the launch of the OLAS token contract.

Assessed type

Other

[c4-pre-sort]

alex-ppg marked the issue as primary issue

[c4-pre-sort]

alex-ppg marked the issue as insufficient quality report

[c4-judge]

dmvt marked the issue as unsatisfactory: Invalid