search

sherlock-audit / 2023-12-symm-io-judging

1 stars 0 forks source link

0xpiken - the implementation of `SolverVault` can be initialized and controlled by anyone #133

Closed sherlock-admin closed 8 months ago

sherlock-admin commented 8 months ago

0xpiken

medium

the implementation of SolverVault can be initialized and controlled by anyone

Summary

Anyone could potentially take over the implementation of SolverVault by calling its initialize() function

Vulnerability Detail

SolverVault is an upgradable contract. Once deployed, it will be used as an implementation of a proxy contract. However, when the proxy contract is deployed and initialized, the implementation has never been initialized. Anyone can call SolverVault#initialize() to take over the implementation.

Impact

While it's currently challenging to outline specific attack vectors, the situation leaves a considerable opportunity for a malicious user to exploit potential scenarios:

  1. If somehow the implementation was granted MINTER_ROLE by SolverVaultToken, malicious user may have chance to drain collateral assets in the proxy contract by minting SolverVaultToken and redeem collateral assets with minted SolverVaultToken
  2. Malicious may have chance to block all functions by destructing the implementation if some new features are introduced.

Code Snippet

https://github.com/sherlock-audit/2023-12-symm-io/blob/main/solver-vaults/contracts/SolverVaults.sol#L80-L105

Tool used

Manual Review

Recommendation

Call _disableInitializers() in constructor function:

+   constructor() {
+      _disableInitializers();
+   }

Duplicate of #47

sherlock-admin2 commented 8 months ago

1 comment(s) were left on this issue during the judging contest.

imkapadia commented:

The issue is valid. But severity is low. That's why It is classified as Invalid