Open hats-bug-reporter[bot] opened 3 months ago
The VelvetSafeModule is being initialized in the Factory, ensuring that it cannot be exploited or left uninitialized. This initialization process is managed and controlled appropriately within the deployment flow, negating the concern raised.
@GiorgioDalla
Github username: @@giorgiodalla Twitter username: 0xAuditism Submission hash (on-chain): 0xba9b879bb7d7ed5c539c10315bc36aaa0cc1ffbe34a3ecde1a3cd39eae288aeb Severity: low
Description: Description\ Unlike all the other the velvet module contract is left open for anyone to initialze. If the deployer forgets to initialize it will create some very big issues down the line
Attack Scenario\
The VelvetSafeModule is deployed but not initialized. It is implemented in all other key contracts, but left onpen. Some malicious actor sees that it is still open for setup, and is now master of the contract and its variables
Attachments
Proof of Concept (PoC) File All the other contract have a
But we can see that the VelvetSafeModule is missing it, thus looking like an oversight.
Revised Code File (Optional) The fix for this bug is straightforward. Add the same constructor as in the other contract.