The "initialize" function is at risk of being front-Running，May result in high risk.

Summary

The "initialize" function in the contract carries a high risk of being front-Running. This requires us to be extra cautious during the deployment process.

The "initialize" function is at risk of being front-Running.

Vulnerability Detail

In blockchain, all transactions are visible in the mempool, meaning everyone has the opportunity to see your transaction and potentially front-run it to profit from your transaction before it occurs.

The "initialize" function in the contract carries a high risk of being front-Running. This requires us to be extra cautious during the deployment process.

Therefore, I paid attention to the deployment method of the proxy.

Hardhat does not stop the process with a deploy and does not show failed transactions if they have occurred in some cases

        address payable proxy = deployProxy(address(reactor), "");

During deploy TransparentUpgradeableProxy's initialize method for initializing contracts not called.Because the sencond parameter responsible for this is an empty string.This causes the initialization process itself to be delayed and Contract initialization methods have no check over who calls them.

Impact

Failure of the protocol, with the need for redeploy. If not carefully checked, some serious risks may occur.For example, the Permit2 contract could be replaced with the address of a malicious contract.

Code Snippet

https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/reactors/BaseReactor.sol#L37
https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/reactors/BaseGladiusReactor.sol#L40

Tool used

Manual Review

Recommendation

Carry out checks at the initialization stage or initialize the contract during deployment.

sherlock-audit / 2024-02-rubicon-finance-judging

shaflow01 - The "initialize" function is at risk of being front-Running，May result in high risk. #35