search

hats-finance / Thorn-protocol-0x1286ecdac50215a366458a14968fbca4bd95067d

GNU General Public License v3.0
0 stars 0 forks source link

The StableSwapFactory contract can be reinitialize #3

Open hats-bug-reporter[bot] opened 1 day ago

hats-bug-reporter[bot] commented 1 day ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0xe9912b85d135bce406561a14feed9538a2948e21d927bf1c83ee23fa3b02c13f Severity: high

Description: Description:

The StableSwapFactory contract can be reinitialize any time by anyone using the function initialize:

     function initialize(
        IStableSwapLPFactory _LPFactory,
        IStableSwapDeployer _SwapTwoPoolDeployer,
        IStableSwapDeployer _SwapThreePoolDeployer,
        address _admin

     ) public  {
        LPFactory = _LPFactory;
        SwapTwoPoolDeployer = _SwapTwoPoolDeployer;
        SwapThreePoolDeployer = _SwapThreePoolDeployer;
        admin=_admin;
     }

As we can see, this function does not have any kind of protection

Attack Scenario:

Anyone can call the initialize function and change LPFactory, SwapTwoPoolDeployer, SwapThreePoolDeployer and admin variable, taking control of the contract

By taking control of the contract, the attacker can manipulate the functions createSwapPair createThreePoolPair, addPairInfo and transferAdminship

Recommendation:

Use an initialize pattern as in the StableSwapThreePool and StableSwapTwoPool contracts or implement the [OpenZeppelin] pattern (https://github.com/OpenZeppelin/openzeppelin-contracts/blob/49cd64565aafa5b8f6863bf60a30ef015861614c/contracts/proxy/utils/Initializable.sol#L104-L132)

omega-audits commented 1 day ago

This is a duplicate of #1