Closed sherlock-admin closed 5 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
Low severity, even if true, core functionalities are not impacted given the original admin deploying contracts can still call admin only functions as needed.
stacey
medium
The initialization contract
FlatcoinVault
fails if_owner
is not themsg.sender
medium
The initialization contract
FlatcoinVault
fails if_owner
is not themsg.sender
Summary
The following methods are called during the initialization process:
setMaxFundingVelocity
,setMaxVelocitySkew
,setStableCollateralCap
,setSkewFractionMax
,setExecutabilityAge
. These operations can be reverted if executed by someone other than the owner.Vulnerability Detail
The vulnerability resides in the
FlatcoinVault.initialize(...)
function: [source] (https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/FlatcoinVault.sol#L109C1-L131C6)The function
__Ownable_init()
setsmsg.sender
as the owner of theFlatcoinVault
contract. Subsequently, the function_transferOwnership(_owner)
changes the contract's ownership to_owner
, which is an argument of the`initialize(...)
function.Functions
setMaxFundingVelocity
,setMaxVelocitySkew
,setStableCollateralCap
,setSkewFractionMax
,setExecutabilityAge
have a modifieronlyOwner
. However,msg.sender
for these functions ismsg.sender
ofinitialize(...)
function, not the owner set in the function_transferOwnership(_owner)
.Therefore, if the
owner
set in_transferOwnership(_owner)
is not the same asmsg.sender
ofinitialize(...)
function, the function will fail.Impact
The impact of this vulnerability on smart contract operation is very large. If initialization fails, the contract will not work as intended. To solve this problem, the contract needs to be re-deployed.
Code Snippet
If the argument
_owner: admin
is changed to_owner: carol
inSetup.sol
and the functionvaultProxy.initialize(...)
is called, the operation will fail.result:
Tool used
Manual Review
Recommendation
To resolve this issue, call
_transferOwnership(_owner)
at the end of theFlatcoinVault.initialize(...)
function.