Initialization can be front-run

[hats-bug-reporter[bot]]

Github username: @saidqayoumsadat Twitter username: saqsadat143 Submission hash (on-chain): 0x8966dd7575376720ff3b24ae6bd9a3c0f86ad7680969532b01ed44d022068a3a Severity: low

Description: Description\ The initialize() functions are not protected by a modifier, which allow attackers to call this function once the contract is deployed through the proxy. Consider adding modifiers to protect this function or create a contract that both deploy the project and initialize it on the same transaction.

1. Proof of Concept (PoC) File

file: /src/CatalystVaultAmplified.sol

93    function initializeSwapCurves(
        address[] calldata assets,
        uint256[] calldata weights,
        uint256 amp,
        address depositor
    ) external override {

https://github.com/catalystdao/catalyst/blob/27b4d0a2bca177aff00def8cd745623bfbf7cb6b/evm/src/CatalystVaultAmplified.sol#L93C4-L98C26

[reednaa]

That what the factory is for.