Initializers can be frontrunned, requiring more pools to be deployed.
Proof of Concept
Pools can be created through create_pool_D650_E2_D0() in lib.rs by the seawater_admin. This function calls self.pools.setter(pool).init(price, fee, tick_spacing, max_liquidity_per_tick).
Lines of code
https://github.com/code-423n4/2024-08-superposition/blob/4528c9d2dbe1550d2660dac903a8246076044905/pkg/seawater/src/pool.rs#L49-L61
Vulnerability details
Impact
Initializers can be frontrunned, requiring more pools to be deployed.
Proof of Concept
Pools can be created through
create_pool_D650_E2_D0()
in lib.rs by theseawater_admin
. This function callsself.pools.setter(pool).init(price, fee, tick_spacing, max_liquidity_per_tick)
.The
init()
function in pool.rs checks that thesqrt_price
is not set.This
init()
function can be frontrunned beforecreate_pool_D650_E2_D0()
is called to set the values. After that,init()
cannot be called already.Tools Used
Manual Review
Recommended Mitigation Steps
In Uniswap, the pool contract is created and initialized at the same time:
Or make sure init() can be only called by lib.rs.
Assessed type
Invalid Validation