The contracts can be re-initialised by an attacker
Vulnerability Detail
In the contracts that implemented Openzeppelin’s UUPS model, an uninitialized implementation contract can be taken over by an attacker with the initialize function, it’s recommended to invoke the _disableInitializers function in the constructor to prevent the implementation contract from being used by the attacker.
Impact
The protocol will not be able to deposit into EIgenLayer
Prevent the initialise function from being called on the contracts by inheriting from OpenZeppelin's Initializable contract, like the system is doing in other contracts. Call the _disableInitializers function in the constructor and protect initialise with the initializer modifier.
0xfave
high
Contracts can be re initialised
Summary
The contracts can be re-initialised by an attacker
Vulnerability Detail
In the contracts that implemented Openzeppelin’s UUPS model, an uninitialized implementation contract can be taken over by an attacker with the initialize function, it’s recommended to invoke the _disableInitializers function in the constructor to prevent the implementation contract from being used by the attacker.
Impact
The protocol will not be able to deposit into EIgenLayer
Code Snippet
https://github.com/sherlock-audit/2024-02-rio-network-core-protocol/blob/main/rio-sherlock-audit/contracts/restaking/RioLRTCoordinator.sol#L55 https://github.com/sherlock-audit/2024-02-rio-network-core-protocol/blob/main/rio-sherlock-audit/contracts/restaking/RioLRTAVSRegistry.sol#L26 https://github.com/sherlock-audit/2024-02-rio-network-core-protocol/blob/main/rio-sherlock-audit/contracts/restaking/RioLRTAssetRegistry.sol#L40 https://github.com/sherlock-audit/2024-02-rio-network-core-protocol/blob/main/rio-sherlock-audit/contracts/restaking/RioLRTDepositPool.sol#L31-L33 https://github.com/sherlock-audit/2024-02-rio-network-core-protocol/blob/main/rio-sherlock-audit/contracts/restaking/RioLRTRewardDistributor.sol#L29 https://github.com/sherlock-audit/2024-02-rio-network-core-protocol/blob/main/rio-sherlock-audit/contracts/restaking/RioLRTWithdrawalQueue.sol#L34-L36
Tool used
Manual Review
Recommendation
Prevent the initialise function from being called on the contracts by inheriting from OpenZeppelin's Initializable contract, like the system is doing in other contracts. Call the _disableInitializers function in the constructor and protect initialise with the initializer modifier.