The s_owner variable which is meant to be a delicate variable is lax and can be easily highjacked
Detailed Description
The s_owner is a delicate variable and should be handled with care and It should be instantiated upon construction.
It is currently being called by a initialize function which has no access control, this could lead to the s_owner variable being frontrun and highjacked by an attacker.
Impact:
Contract can be highjacked by a malicious user leading to break in the overall protocol.
Proof of Code
function initialize(address _owner) public {
if (!s_initialized) {
s_owner = _owner;
s_initialized = true;
}
}
Tool used:
Manual Review
Recommended Mitigation:
The s_owner variable should be set in a constructor or the protocol should implement access control on the initialize function.
Lines of code
https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/PanopticFactory.sol#L134-L139
Vulnerability details
Summary
The
s_owner
variable which is meant to be a delicate variable is lax and can be easily highjackedDetailed Description
The
s_owner
is a delicate variable and should be handled with care and It should be instantiated upon construction. It is currently being called by ainitialize
function which has no access control, this could lead to thes_owner
variable being frontrun and highjacked by an attacker.Impact:
Contract can be highjacked by a malicious user leading to break in the overall protocol.
Proof of Code
Tool used:
Manual Review
Recommended Mitigation:
The
s_owner
variable should be set in a constructor or the protocol should implement access control on theinitialize
function.Assessed type
Access Control