Closed sherlock-admin2 closed 7 months ago
3 comment(s) were left on this issue during the judging contest.
tsvetanovv commented:
Low
PNS commented:
Front-running initializers where there is no irreversible damage or loss of funds & the protocol could just redeploy and initialize again is not a valid issue.
0xAadi commented:
Invalid: OOS
shaflow01
medium
The "initialize" function is at risk of being front-Running,May result in high risk.
Summary
The "initialize" function in the contract carries a high risk of being front-Running. This requires us to be extra cautious during the deployment process.
The "initialize" function is at risk of being front-Running.
Vulnerability Detail
In blockchain, all transactions are visible in the mempool, meaning everyone has the opportunity to see your transaction and potentially front-run it to profit from your transaction before it occurs.
The "initialize" function in the contract carries a high risk of being front-Running. This requires us to be extra cautious during the deployment process.
Therefore, I paid attention to the deployment method of the proxy.
Hardhat does not stop the process with a deploy and does not show failed transactions if they have occurred in some cases
During deploy TransparentUpgradeableProxy's initialize method for initializing contracts not called.Because the sencond parameter responsible for this is an empty string.This causes the initialization process itself to be delayed and Contract initialization methods have no check over who calls them.
Impact
Failure of the protocol, with the need for redeploy. If not carefully checked, some serious risks may occur.For example, the Permit2 contract could be replaced with the address of a malicious contract.
Code Snippet
https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/reactors/BaseReactor.sol#L37
https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/reactors/BaseGladiusReactor.sol#L40
Tool used
Manual Review
Recommendation
Carry out checks at the initialization stage or initialize the contract during deployment.