search

sherlock-audit / 2023-02-kairos-judging

2 stars 0 forks source link

Go-langer - Init function left open for anyone to call and initialize the protocol. #153

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

Go-langer

medium

Init function left open for anyone to call and initialize the protocol.

Summary

Init function left open for anyone to call and initialize the protocol. https://github.com/sherlock-audit/2023-02-kairos/blob/main/kairos-contracts/src/Initializer.sol#L24

Vulnerability Detail

It gives the attacker the ability to set the initial values for the contract's storage variables and manipulate the overall behavior of the protocol, including changing the storage variables, price factors in auction and the APR of the tranches, to name a few.

Impact

The attacker can change the values of protocolStorage() and supplyPositionStorage()

Code Snippet

https://github.com/sherlock-audit/2023-02-kairos/blob/main/kairos-contracts/src/Initializer.sol#L24

Tool used

Vs Code

Manual Review

Recommendation

Use a modifier to only allow this function to be called by the owner for example and introduce an access control modifier on the init function.

contract Initializer {
    // ...

    /// @notice initializes the kairos protocol
    function init() external onlyOwner {
        // ...
    }

    // ...

    modifier onlyOwner() {
        require(msg.sender == owner, "Only contract owner can call this function");
        _;
    }
}

Also this check must also be added to the init function, if you only want the init function to be called once.

"require(!initialized, "Contract instance has already been initialized");"

Duplicate of #142