Access control::init function doesnot have access control
Summary
The init function does not have access control, meaning that any user could potentially call it and initialize the contract. This could be a security risk if the contract is deployed without proper initialization. It should be protected by access control mechanisms, such as the Ownable pattern or similar.
Vulnerability Detail
Anyone can call init function and initialize the function variable.It should be protected by access control mechanisms, such as the Ownable pattern or similar.
Impact
Any one can call the init function and assign the variable this is not good.
Code Snippet
https://github.com/sherlock-audit/2023-12-dodo-gsp/blob/main/dodo-gassaving-pool/contracts/GasSavingPool/impl/GSP.sol#L34
function init(
address maintainer,
address baseTokenAddress,
address quoteTokenAddress,
uint256 lpFeeRate,
uint256 mtFeeRate,
uint256 i,
uint256 k,
bool isOpenTWAP
) external {
// GSP can only be initialized once
require(!_GSPINITIALIZED, "GSP_INITIALIZED");
// _GSPINITIALIZED is set to true after initialization
_GSPINITIALIZED = true;
// baseTokenAddress and quoteTokenAddress should not be the same
require(baseTokenAddress != quoteTokenAddress, "BASE_QUOTE_CAN_NOT_BE_SAME");
// _BASETOKEN and _QUOTETOKEN should be valid ERC20 tokens
_BASETOKEN = IERC20(baseTokenAddress);
_QUOTETOKEN = IERC20(quoteTokenAddress);
// i should be greater than 0 and less than 10**36
require(i > 0 && i <= 10**36);
_I_ = i;
// k should be greater than 0 and less than 10**18
require(k <= 10**18);
_K_ = k;
// _LP_FEE_RATE_ is set when initialization
_LP_FEE_RATE_ = lpFeeRate;
// _MT_FEE_RATE_ is set when initialization
_MT_FEE_RATE_ = mtFeeRate;
// _MAINTAINER_ is set when initialization, the address receives the fee
_MAINTAINER_ = maintainer;
_IS_OPEN_TWAP_ = isOpenTWAP;
// if _IS_OPEN_TWAP_ is true, _BLOCK_TIMESTAMP_LAST_ is set to the current block timestamp
if (isOpenTWAP) _BLOCK_TIMESTAMP_LAST_ = uint32(block.timestamp % 2**32);
string memory connect = "_";
string memory suffix = "GSP";
// name of the shares is the combination of suffix, connect and string of the GSP
name = string(abi.encodePacked(suffix, connect, addressToShortString(address(this))));
// symbol of the shares is GLP
symbol = "GLP";
// decimals of the shares is the same as the base token decimals
decimals = IERC20Metadata(baseTokenAddress).decimals();
// ============================== Permit ====================================
uint256 chainId;
assembly {
chainId := chainid()
}
// DOMAIN_SEPARATOR is used for approve by signature
DOMAIN_SEPARATOR = keccak256(
abi.encode(
// keccak256('EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)'),
0x8b73c3c69bb8fe3d512ecc4cf759cc79239f7b179b0ffacaa9a75d522b39400f,
keccak256(bytes(name)),
keccak256(bytes("1")),
chainId,
address(this)
)
);
// ==========================================================================
}
Tool used
Manual Review
Recommendation
use some t should be protected by access control mechanisms, such as the Ownable pattern or similar.
bareli
medium
Access control::init function doesnot have access control
Summary
The init function does not have access control, meaning that any user could potentially call it and initialize the contract. This could be a security risk if the contract is deployed without proper initialization. It should be protected by access control mechanisms, such as the Ownable pattern or similar.
Vulnerability Detail
Anyone can call init function and initialize the function variable.It should be protected by access control mechanisms, such as the Ownable pattern or similar.
Impact
Any one can call the init function and assign the variable this is not good.
Code Snippet
https://github.com/sherlock-audit/2023-12-dodo-gsp/blob/main/dodo-gassaving-pool/contracts/GasSavingPool/impl/GSP.sol#L34 function init( address maintainer, address baseTokenAddress, address quoteTokenAddress, uint256 lpFeeRate, uint256 mtFeeRate, uint256 i, uint256 k, bool isOpenTWAP ) external { // GSP can only be initialized once require(!_GSPINITIALIZED, "GSP_INITIALIZED"); // _GSPINITIALIZED is set to true after initialization _GSPINITIALIZED = true; // baseTokenAddress and quoteTokenAddress should not be the same require(baseTokenAddress != quoteTokenAddress, "BASE_QUOTE_CAN_NOT_BE_SAME"); // _BASETOKEN and _QUOTETOKEN should be valid ERC20 tokens _BASETOKEN = IERC20(baseTokenAddress); _QUOTETOKEN = IERC20(quoteTokenAddress);
Tool used
Manual Review
Recommendation
use some t should be protected by access control mechanisms, such as the Ownable pattern or similar.
Duplicate of #27