the implementation of SolverVault can be initialized and controlled by anyone
Summary
Anyone could potentially take over the implementation of SolverVault by calling its initialize() function
Vulnerability Detail
SolverVault is an upgradable contract. Once deployed, it will be used as an implementation of a proxy contract. However, when the proxy contract is deployed and initialized, the implementation has never been initialized. Anyone can call SolverVault#initialize() to take over the implementation.
Impact
While it's currently challenging to outline specific attack vectors, the situation leaves a considerable opportunity for a malicious user to exploit potential scenarios:
If somehow the implementation was granted MINTER_ROLE by SolverVaultToken, malicious user may have chance to drain collateral assets in the proxy contract by minting SolverVaultToken and redeem collateral assets with minted SolverVaultToken
Malicious may have chance to block all functions by destructing the implementation if some new features are introduced.
0xpiken
medium
the implementation of
SolverVault
can be initialized and controlled by anyoneSummary
Anyone could potentially take over the implementation of
SolverVault
by calling itsinitialize()
functionVulnerability Detail
SolverVault
is an upgradable contract. Once deployed, it will be used as an implementation of a proxy contract. However, when the proxy contract is deployed and initialized, the implementation has never been initialized. Anyone can callSolverVault#initialize()
to take over the implementation.Impact
While it's currently challenging to outline specific attack vectors, the situation leaves a considerable opportunity for a malicious user to exploit potential scenarios:
MINTER_ROLE
bySolverVaultToken
, malicious user may have chance to drain collateral assets in the proxy contract by mintingSolverVaultToken
and redeem collateral assets with mintedSolverVaultToken
Code Snippet
https://github.com/sherlock-audit/2023-12-symm-io/blob/main/solver-vaults/contracts/SolverVaults.sol#L80-L105
Tool used
Manual Review
Recommendation
Call
_disableInitializers()
in constructor function:Duplicate of #47