Open c4-bot-6 opened 3 months ago
@alex-ppg Please let me know why this is invalid. Thanks!
Hey @Odhiambo526, thank you for the PJQA contribution. I will preface all validation repository finding responses by stating that they are not evaluated by judges directly and are only evaluated by the validators if they are deemed unsatisfactory.
These types of vulnerabilities are generally considered QA and are usually caught by static analyzers, as is the case of this particular scenario in L-16. As such, the submission is considered OOS and ineligible for a reward.
This paragraph is included in all of my responses and confirms that no further feedback is expected in this submission as PJQA has concluded. You are free to refute any of my statements factually, however, I strongly implore you to do this with actual code references and examples.
Lines of code
https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/ILOPool.sol#L61
Vulnerability details
Proof of Concept
The initialize function in the
ILOPool
contract contains a race condition that can allow a malicious actor to set themselves as theMANAGER
if they call the function before the intended user. The initialize function sets theMANAGER
without verifying the caller's identity, which creates a vulnerability where any user can callinitialize
first and assign themselves as theMANAGER
. This is evident from the following code snippet:The vulnerability arises from the following lines:
In this line, the
msg.sender
is assigned to theMANAGER
variable without any checks to verify the identity of the caller. This allows any user who calls theinitialize
function first to become the MANAGER.Impact
If a malicious user calls the
initialize
function before the intended deployer, they will become theMANAGER
of the contract. This unauthorized access allows the attacker to have full control over the contract, including managing the project's funds and configurations. The attacker can:Tools Used
Manual
Recommended Mitigation Steps
Add an authorization check in the
initialize
function to ensure that only the intended deployer or a specific address can call it. This can be achieved by passing the intendedMANAGER
address as a parameter to the constructor and restricting the initialize function to be callable only by this address.Assessed type
Context