Closed github-actions[bot] closed 1 year ago
PNM
medium
Anyone can call initialize() of various implementation contracts
The initialize function of the following implementation contracts can be triggered by any account: https://github.com/PwnedNoMore-DAO/2023-02-blueberry/blob/main/contracts/vault/HardVault.sol#L36 https://github.com/PwnedNoMore-DAO/2023-02-blueberry/blob/main/contracts/vault/SoftVault.sol#L41 https://github.com/PwnedNoMore-DAO/2023-02-blueberry/blob/main/contracts/BlueBerryBank.sol#L94 https://github.com/PwnedNoMore-DAO/2023-02-blueberry/blob/main/contracts/ProtocolConfig.sol#L28
initialize
An attacker can get the ownership of those implementation contracts.
https://github.com/PwnedNoMore-DAO/2023-02-blueberry/blob/main/contracts/vault/HardVault.sol#L36 https://github.com/PwnedNoMore-DAO/2023-02-blueberry/blob/main/contracts/vault/SoftVault.sol#L41 https://github.com/PwnedNoMore-DAO/2023-02-blueberry/blob/main/contracts/BlueBerryBank.sol#L94 https://github.com/PwnedNoMore-DAO/2023-02-blueberry/blob/main/contracts/ProtocolConfig.sol#L28
Avoid leaving a contract uninitialized (see https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/proxy/utils/Initializable.sol#L51)
PNM
medium
Med: Anyone can call initialize() of the implementation contract
Summary
Anyone can call initialize() of various implementation contracts
Vulnerability Detail
The
initializefunction of the following implementation contracts can be triggered by any account: https://github.com/PwnedNoMore-DAO/2023-02-blueberry/blob/main/contracts/vault/HardVault.sol#L36 https://github.com/PwnedNoMore-DAO/2023-02-blueberry/blob/main/contracts/vault/SoftVault.sol#L41 https://github.com/PwnedNoMore-DAO/2023-02-blueberry/blob/main/contracts/BlueBerryBank.sol#L94 https://github.com/PwnedNoMore-DAO/2023-02-blueberry/blob/main/contracts/ProtocolConfig.sol#L28Impact
An attacker can get the ownership of those implementation contracts.
Code Snippet
https://github.com/PwnedNoMore-DAO/2023-02-blueberry/blob/main/contracts/vault/HardVault.sol#L36 https://github.com/PwnedNoMore-DAO/2023-02-blueberry/blob/main/contracts/vault/SoftVault.sol#L41 https://github.com/PwnedNoMore-DAO/2023-02-blueberry/blob/main/contracts/BlueBerryBank.sol#L94 https://github.com/PwnedNoMore-DAO/2023-02-blueberry/blob/main/contracts/ProtocolConfig.sol#L28
Tool used
Recommendation
Avoid leaving a contract uninitialized (see https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/proxy/utils/Initializable.sol#L51)