initialize() FUNCTIONS SHOULD BE PROTECTED BY ACCESS CONTROL AND SHOULD ONLY BE CALLED VIA ContractFactory.sol
Summary
initialize() functions of the both ProtectionPool.sol and ReferenceLendingPools.sol contracts are not protected by any access control. There UUPS upgradeable implementation contracts are initialized by the ContractFactory.sol contract. Hence above mentioned contracts should only be called via the ContractFactory.sol contract.
Vulnerability Detail
A malicious attacker will be able to copy the ContractFactory.sol initialization transactions of the ProtectionPool and ReferenceLendingPools with the same input parameters and use the same implementation contract to create dummy protection pools and reference lending pools to create a similar protocol.
Impact
A malicious attacker can use the same implementation contract (deployed at the same address) of ProtectionPool.sol and ReferenceLendingPools.sol to create dummy protocol and convince the users to use it.
Create a modifier inside the ProtectionPool.sol and ReferenceLendingPools.sol contracts by providing them with the ContractFactory.sol deployment address, so that only the ContractFactory.sol contract will be able to call the initialize() functions of the ProtectionPool.sol and ReferenceLendingPools.sol (UUPS upgradeable implementation contracts).
Udsen
medium
initialize()FUNCTIONS SHOULD BE PROTECTED BY ACCESS CONTROL AND SHOULD ONLY BE CALLED VIAContractFactory.solSummary
initialize()functions of the bothProtectionPool.solandReferenceLendingPools.solcontracts are not protected by any access control. There UUPS upgradeable implementation contracts are initialized by theContractFactory.solcontract. Hence above mentioned contracts should only be called via theContractFactory.solcontract.Vulnerability Detail
A malicious attacker will be able to copy the
ContractFactory.solinitialization transactions of theProtectionPoolandReferenceLendingPoolswith the same input parameters and use the same implementation contract to create dummy protection pools and reference lending pools to create a similar protocol.Impact
A malicious attacker can use the same implementation contract (deployed at the same address) of
ProtectionPool.solandReferenceLendingPools.solto create dummy protocol and convince the users to use it.Code Snippet
https://github.com/sherlock-audit/2023-02-carapace/blob/main/contracts/core/pool/ProtectionPool.sol#L125-L133 https://github.com/sherlock-audit/2023-02-carapace/blob/main/contracts/core/pool/ReferenceLendingPools.sol#L53-L59
Tool used
VS Code and Manual Review
Recommendation
Create a modifier inside the
ProtectionPool.solandReferenceLendingPools.solcontracts by providing them with theContractFactory.soldeployment address, so that only theContractFactory.solcontract will be able to call theinitialize()functions of theProtectionPool.solandReferenceLendingPools.sol(UUPS upgradeable implementation contracts).