All `initialize` methods can be Frontrun because of lack of access control

Summary

There is no Access control in initialize() method. So anyone can frontrun the transaction and call that on deployer's behalf to gain access.

Vulnerability Detail

If the initializer is not executed in the same transaction as the constructor, a malicious user can front-run the initialize() call, forcing the contract to be redeployed.

Impact

Contract will have to be redeployed.

Code Snippet

File: GoldfinchAdapter.sol

55:     function initialize(address _owner) external initializer {

Link to Code

File: ContractFactory.sol

87:     function initialize(

Link to Code

File: DefaultStateManager.sol

58:     function initialize() external initializer {

Link to Code

File: PremiumCalculator.sol

29:     function initialize() external initializer {

Link to Code

File: ProtectionPoolCycleManager.sol

50:     function initialize() external initializer {

Link to Code

File: ProtectionPool.sol

125:     function initialize(

Link to Code

File: ReferenceLendingPools.sol

53:     function initialize(

Link to Code

Tool used

Manual Review

Recommendation

Add a control access modifier such that only the owner can call initialize() method.

sherlock-audit / 2023-02-carapace-judging

Breeje - All `initialize` methods can be Frontrun because of lack of access control #243

All `initialize` methods can be Frontrun because of lack of access control

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation

sherlock-audit / 2023-02-carapace-judging

Breeje - All `initialize` methods can be Frontrun because of lack of access control #243

All initialize methods can be Frontrun because of lack of access control

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation

All `initialize` methods can be Frontrun because of lack of access control