0xheynacho - the initialize function that initializes important contract state can be called by anyone. initialize() function can be called anybody when the contract is not initialized #169
the initialize function that initializes important contract state can be called by anyone. initialize() function can be called anybody when the contract is not initialized
Summary
The initialize function that initializes important contract state can be called by anyone.
initialize() function can be called anybody when the contract is not initialized.
Vulnerability Detail
The attacker can initialize the contract before the legitimate deployer, hoping that the victim continues to use the same contract. In the best case for the victim, they notice it and have to redeploy their contract costing gas.
Recommend using the constructor to initialize non-proxied contracts. For initializing proxy contracts, recommend deploying contracts using a factory contract that immediately calls initialize after deployment, or make sure to call it immediately after deployment and verify the transaction
0xheynacho
medium
the initialize function that initializes important contract state can be called by anyone. initialize() function can be called anybody when the contract is not initialized
Summary
The initialize function that initializes important contract state can be called by anyone. initialize() function can be called anybody when the contract is not initialized.
Vulnerability Detail
The attacker can initialize the contract before the legitimate deployer, hoping that the victim continues to use the same contract. In the best case for the victim, they notice it and have to redeploy their contract costing gas. Recommend using the constructor to initialize non-proxied contracts. For initializing proxy contracts, recommend deploying contracts using a factory contract that immediately calls initialize after deployment, or make sure to call it immediately after deployment and verify the transaction
Impact
Code Snippet
https://github.com/sherlock-audit/2023-01-ajna/blob/main/contracts/src/ERC721Pool.sol#L82
Tool used
Manual Review
Recommendation