search

hats-finance / Velvet-Capital-0x0bb0c08fd9eeaf190064f4c66f11d18182961f77

Core smart contracts of Velvet Capital
Other
0 stars 1 forks source link

Anyone can initialize VelvetSafeModule #24

Open hats-bug-reporter[bot] opened 3 months ago

hats-bug-reporter[bot] commented 3 months ago

Github username: @@giorgiodalla Twitter username: 0xAuditism Submission hash (on-chain): 0xba9b879bb7d7ed5c539c10315bc36aaa0cc1ffbe34a3ecde1a3cd39eae288aeb Severity: low

Description: Description\ Unlike all the other the velvet module contract is left open for anyone to initialze. If the deployer forgets to initialize it will create some very big issues down the line

Attack Scenario\

The VelvetSafeModule is deployed but not initialized. It is implemented in all other key contracts, but left onpen. Some malicious actor sees that it is still open for setup, and is now master of the contract and its variables

Attachments

  1. Proof of Concept (PoC) File All the other contract have a

    constructor() {
_disableInitializers();
}

    But we can see that the VelvetSafeModule is missing it, thus looking like an oversight.

  2. Revised Code File (Optional) The fix for this bug is straightforward. Add the same constructor as in the other contract. 

+  constructor() {
+   _disableInitializers();
+ }
langnavina97 commented 3 months ago

The VelvetSafeModule is being initialized in the Factory, ensuring that it cannot be exploited or left uninitialized. This initialization process is managed and controlled appropriately within the deployment flow, negating the concern raised.

@GiorgioDalla