All initialize methods can be Frontrun because of lack of access control
Summary
There is no Access control in initialize() method. So anyone can frontrun the transaction and call that on deployer's behalf to gain access.
Vulnerability Detail
If the initializer is not executed in the same transaction as the constructor, a malicious user can front-run the initialize() call, forcing the contract to be redeployed.
Impact
Contract will have to be redeployed.
Code Snippet
File: BlueBerryBank.sol
94: function initialize(IOracle _oracle, IProtocolConfig _config)
Breeje
medium
All
initialize
methods can be Frontrun because of lack of access controlSummary
There is no Access control in
initialize()
method. So anyone can frontrun the transaction and call that on deployer's behalf to gain access.Vulnerability Detail
If the
initializer
is not executed in the same transaction as the constructor, a malicious user can front-run theinitialize()
call, forcing the contract to be redeployed.Impact
Contract will have to be redeployed.
Code Snippet
Link to Code
Link to Code
Link to Code
Link to Code
Link to Code
Link to Code
Link to Code
Link to Code
Tool used
Manual Review
Recommendation
Add a control access modifier such that only the owner can call
initialize()
method.