sherlock-audit / 2023-02-blueberry-judging

12 stars 5 forks source link

Breeje - All `initialize` methods can be Frontrun because of lack of access control #268

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

Breeje

medium

All initialize methods can be Frontrun because of lack of access control

Summary

There is no Access control in initialize() method. So anyone can frontrun the transaction and call that on deployer's behalf to gain access.

Vulnerability Detail

If the initializer is not executed in the same transaction as the constructor, a malicious user can front-run the initialize() call, forcing the contract to be redeployed.

Impact

Contract will have to be redeployed.

Code Snippet

File: BlueBerryBank.sol

94:   function initialize(IOracle _oracle, IProtocolConfig _config)

Link to Code

File: ProtocolConfig.sol

28:   function initialize(address treasury_) external initializer {

Link to Code

File: CoreOracle.sol

31:   function initialize() external initializer {

Link to Code

File: IchiVaultSpell.sol

59:   function initialize(

Link to Code

File: HardVault.sol

36:   function initialize(IProtocolConfig _config) external initializer {

Link to Code

File: SoftVault.sol

41:   function initialize(

Link to Code

File: WERC20.sol

15:   function initialize() external initializer {

Link to Code

File: WIchiFarm.sol

30:   function initialize(

Link to Code

Tool used

Manual Review

Recommendation

Add a control access modifier such that only the owner can call initialize() method.