However, this access control was not consistently applied to the Cross Currency vault. As shown below, the CrossCurrencyfCashVault.initialize function lacks the onlyNotionalOwner modifier. Thus, anyone can trigger the CrossCurrencyfCashVault.initialize function as long as it has not been called before.
A malicious attacker could monitor the Ethereum blockchain for bytecode that matches the CrossCurrencyfCashVault contract and front-run the initialize() transaction to configure the vaults in a manner that will benefit the malicious user. This can be repeated as a Denial Of Service (DOS) type of attack, effectively preventing Notional’s contract deployment, leading to unrecoverable gas expenses
It is recommended to implement access control on all the initialize functions to ensure that only the Notional admin can initialize and configure the vaults.
xiaoming90
medium
Initialization of Cross Currency Vault Can Be Front-runned
Summary
The initialization of the Cross Currency Vault can be front-runned due to the lack of access control.
Vulnerability Detail
onlyNotionalOwner
has been implemented on Balancer-related vaults to ensure that the vault initialization cannot be front-runned by malicious users.https://github.com/sherlock-audit/2022-09-notional/blob/main/leveraged-vaults/contracts/vaults/MetaStable2TokenAuraVault.sol#L44
https://github.com/sherlock-audit/2022-09-notional/blob/main/leveraged-vaults/contracts/vaults/Boosted3TokenAuraVault.sol#L42
However, this access control was not consistently applied to the Cross Currency vault. As shown below, the
CrossCurrencyfCashVault.initialize
function lacks theonlyNotionalOwner
modifier. Thus, anyone can trigger theCrossCurrencyfCashVault.initialize
function as long as it has not been called before.https://github.com/sherlock-audit/2022-09-notional/blob/main/leveraged-vaults/contracts/vaults/CrossCurrencyfCashVault.sol#L79
Impact
A malicious attacker could monitor the Ethereum blockchain for bytecode that matches the
CrossCurrencyfCashVault
contract and front-run theinitialize()
transaction to configure the vaults in a manner that will benefit the malicious user. This can be repeated as a Denial Of Service (DOS) type of attack, effectively preventing Notional’s contract deployment, leading to unrecoverable gas expensesCode Snippet
https://github.com/sherlock-audit/2022-09-notional/blob/main/leveraged-vaults/contracts/vaults/MetaStable2TokenAuraVault.sol#L44 https://github.com/sherlock-audit/2022-09-notional/blob/main/leveraged-vaults/contracts/vaults/Boosted3TokenAuraVault.sol#L42 https://github.com/sherlock-audit/2022-09-notional/blob/main/leveraged-vaults/contracts/vaults/CrossCurrencyfCashVault.sol#L79
Tool used
Manual Review
Recommendation
It is recommended to implement access control on all the
initialize
functions to ensure that only the Notional admin can initialize and configure the vaults.