The vulnerability arises from the absence of the initializer modifier in the initialize function of the smart contract. In Solidity, the initializer modifier is commonly used to ensure that a function can only be called once during contract initialization. Without this modifier, there is a risk of reinitialization, which can lead to unexpected behavior and potential security vulnerabilities.
Attack Scenario\
Reinitialization Attack : An attacker could exploit the absence of the initializer modifier by calling the initialize function multiple times, potentially resetting critical state variables and compromising the integrity of the contract.
Contract State Manipulation : Without the initializer modifier, malicious actors may attempt to manipulate the contract's state by repeatedly invoking the initialization function with different
Attachments
Proof of Concept (PoC) File
[TestCvgCvxStakingPositionService.t.sol]
Revised Code File (Optional)
pragma solidity ^0.8.0;
import "../node_modules/@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol";
//Here I did inherit from Initalizable, is this best practice?
contract CvgCvxStakingPositionService, Initializable{
//Excluded constant state vars declaration for sake of readability....
//Here comes the INITIALIZER
function initialize(
address _cvxConvergenceLocker,
ICrvPoolPlain _curvePool,
ICvx1 _cvx1,
string memory _symbol
) public initializer {
// body of function
}
Github username: @https://github.com/Lhoussaineph2001 Twitter username: https://twitter.com/lhoussainePh Submission hash (on-chain): 0xc2c2fb8291c4b28da0d1393bfde8c3f48d71437a26772d9629dcbfbce5602d0c Severity: medium
Description: Description\
The vulnerability arises from the absence of the
initializer
modifier in theinitialize
function of the smart contract. In Solidity, theinitializer
modifier is commonly used to ensure that a function can only be called once during contract initialization. Without this modifier, there is a risk of reinitialization, which can lead to unexpected behavior and potential security vulnerabilities.Attack Scenario\
initializer
modifier by calling theinitialize
function multiple times, potentially resetting critical state variables and compromising the integrity of the contract.initializer
modifier, malicious actors may attempt to manipulate the contract's state by repeatedly invoking the initialization function with differentAttachments
[TestCvgCvxStakingPositionService.t.sol]
Files: