The Tokenomics.initializeTokenomics is an external function which can be called by anyone, Since there is no access control. Hence a malicious user can front-run the valid initialization transaction and become the owner of the Tokenomics contract.
This is because the Tokenomics contract is expected to be initialized no later than one year from the launch of the OLAS token contract. And anyone can call the initializeTokenomics function and become the owner of the contract as long as the owner is not set at the time of the initializeTokenomics function call as shown below:
// Check if the contract is already initialized
if (owner != address(0)) {
revert AlreadyInitialized();
}
Hence a malicious user can easily front-run and become the owner of the Tokenomics contract. The subsequent Tokenomics.initializeTokenomics transaction by the autonolas protocol will revert since the owner is already set by the time it is being executed.
The malicious user can pass in input parameters which passes the input validation checks in the initializeTokenomics function, for input addresses and the _epochLen values. As a result the owner of the Tokenomics contract can be set to a malicious address. This will allow the malicious user to control the owner controlled functions such as Tokenomics.changeTokenomicsImplementation, Tokenomics.changeManagers, Tokenomics.changeRegistries, Tokenomics.changeDonatorBlacklist, Tokenomics.changeTokenomicsParameters and Tokenomics.changeIncentiveFractions. Even if the autonolas protocol tries to redploy and initialize the Tokenomics contract, the malicious user can keep on front-running the valid Tokenomics.initializeTokenomics transaction and become the owner of the Tokenomics contract maliciously.
As a result the Tokenomics contract will not be able to be used in the autonolas protocol since the malicious owner set tokenomics parameters are wrong and should not be used for transactions. This breaks the proper execution of the autonolas protocol.
Proof of Concept
function initializeTokenomics(
address _olas,
address _treasury,
address _depository,
address _dispenser,
address _ve,
uint256 _epochLen,
address _componentRegistry,
address _agentRegistry,
address _serviceRegistry,
address _donatorBlacklist
) external
{
// Check if the contract is already initialized
if (owner != address(0)) {
revert AlreadyInitialized();
}
/// @dev Tokenomics initializer.
/// @notice Tokenomics contract must be initialized no later than one year from the launch of the OLAS token contract.
Hence it is recommended to use access control such that only a authorized address can call the initializeTokenomics function to initialize the Tokenomics contract and become the valid owner of the contract within one year from the launch of the OLAS token contract.
Lines of code
https://github.com/code-423n4/2023-12-autonolas/blob/main/tokenomics/contracts/Tokenomics.sol#L264-L280 https://github.com/code-423n4/2023-12-autonolas/blob/main/tokenomics/contracts/Tokenomics.sol#L236-L237
Vulnerability details
Impact
The
Tokenomics.initializeTokenomics
is an external function which can be called by anyone, Since there is no access control. Hence a malicious user can front-run the valid initialization transaction and become the owner of theTokenomics
contract.This is because the
Tokenomics
contract is expected to be initialized no later than one year from the launch of the OLAS token contract. And anyone can call theinitializeTokenomics
function and become theowner
of the contract as long as theowner
is not set at the time of theinitializeTokenomics
function call as shown below:Hence a malicious user can easily front-run and become the owner of the
Tokenomics
contract. The subsequentTokenomics.initializeTokenomics
transaction by theautonolas
protocol will revert since theowner
is already set by the time it is being executed.The malicious user can pass in input parameters which passes the input validation checks in the
initializeTokenomics
function, forinput addresses
and the_epochLen
values. As a result the owner of theTokenomics
contract can be set to a malicious address. This will allow the malicious user to control theowner
controlled functions such asTokenomics.changeTokenomicsImplementation
,Tokenomics.changeManagers
,Tokenomics.changeRegistries
,Tokenomics.changeDonatorBlacklist
,Tokenomics.changeTokenomicsParameters
andTokenomics.changeIncentiveFractions
. Even if theautonolas
protocol tries to redploy and initialize theTokenomics
contract, the malicious user can keep on front-running the validTokenomics.initializeTokenomics
transaction and become the owner of theTokenomics
contract maliciously.As a result the
Tokenomics
contract will not be able to be used in theautonolas
protocol since the malicious owner set tokenomics parameters are wrong and should not be used for transactions. This breaks the proper execution of theautonolas
protocol.Proof of Concept
https://github.com/code-423n4/2023-12-autonolas/blob/main/tokenomics/contracts/Tokenomics.sol#L264-L280
https://github.com/code-423n4/2023-12-autonolas/blob/main/tokenomics/contracts/Tokenomics.sol#L236-L237
Tools Used
Manual Review and VSCode
Recommended Mitigation Steps
Hence it is recommended to use access control such that only a
authorized address
can call theinitializeTokenomics
function to initialize theTokenomics
contract and become the valid owner of the contract within one year from the launch of the OLAS token contract.Assessed type
Other