search

code-423n4 / 2024-04-panoptic-findings

2 stars 2 forks source link

Missing access control in PanopticFactory::initialize can be manipulated by MEV #569

Closed c4-bot-2 closed 2 months ago

c4-bot-2 commented 2 months ago

Lines of code

https://github.com/code-423n4/2024-04-panoptic/blob/main/contracts/PanopticFactory.sol#L134-L139

Vulnerability details

Impact

There is no access control, so mev bot can manipulate s_owner address and become address of PanopticFactory contract

Proof of Concept

function initialize(address _owner) public {
        if (!s_initialized) {
            s_owner = _owner;
            s_initialized = true;
        }
    }

Tools Used

Manual code review

Recommended Mitigation Steps

Add access control or call it in constructor

Assessed type

MEV

c4-judge commented 2 months ago

Picodes marked the issue as unsatisfactory: Invalid