sherlock-audit / 2023-06-symmetrical-judging

5 stars 4 forks source link

shealtielanz - Missing Initializer in ControlFacet.sol #344

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

shealtielanz

high

Missing Initializer in ControlFacet.sol

Summary

The ControlFacet.sol is missing an initializer modifier on the init function, allows a malicious owner to re-initialize it.

Vulnerability Detail

The ControlFacet.sol

function init(address user, address collateral, address feeCollector) external onlyOwner {
    MAStorage.Layout storage maLayout = MAStorage.layout();

As you can see, it has no modifier and allows for re-initialization.

Impact

This Allows a malicious owner to change the collateral address, the user and also the fee collector at will, and this is too much power given to the onlyOwner, where the could manipulate and scam, users at will.

Code Snippet

Manual Review

Recommendation

Import open Zeppeline's initializable.sol library and make use of the initializer modifier to guard against future, re-intialization