Closed sherlock-admin2 closed 7 months ago
3 comment(s) were left on this issue during the judging contest.
tsvetanovv commented:
Low
PNS commented:
Front-running initializers where there is no irreversible damage or loss of funds & the protocol could just redeploy and initialize again is not a valid issue.
0xAadi commented:
Invalid
AgileJune
high
initialize() in RubiconFeeController can be frontrun
Summary
initialize() in RubiconFeeController can be frontrun
Vulnerability Detail
The malicious user can front run initialize() with higher gas fee to set feeRecipient as his own address, then real owner can't assign it again because initialized is set true already.
Impact
The adversary can set feeRecipient to steal funds.
Code Snippet
https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/fee-controllers/RubiconFeeController.sol#L39-L48
Tool used
Manual Review
Recommendation
Prevent to call initialize() by any user, for instance, adding auth modifier can solve the issue.