Closed sherlock-admin closed 7 months ago
3 comment(s) were left on this issue during the judging contest.
tsvetanovv commented:
Low
PNS commented:
Front-running initializers where there is no irreversible damage or loss of funds & the protocol could just redeploy and initialize again is not a valid issue.
0xAadi commented:
Invalid
0xDemon
medium
Initialize function can be front run by attacker
Initialize function can be front run by attacker
Summary
The protocol initializes the contract using the initialize function where this function does not apply access control to prevent malicious actors from front running it. There are two examples of this case, one of which is
RubiconFeeController::initialize
, the purpose of this initialization is to set the owner of the contract andfeeRecipient
. The affected code :Some consequences if this happens:
feeRecipient
of the protocolsetPairBasedFee
,setBaseFee
,setFeeRecipient
, andsetGladiusReactor
functions.Vulnerability Detail
POC
To prove this attack vector, I used the existing test environment with slight changes to the setup function
To execute it, just insert this test into
RubiconFeeController.t.sol
and in thesetUp
function just deployRubiconFeeController
. After that execute with :Result :
Impact
feeRecipient
of the protocolsetPairBasedFee
,setBaseFee
,setFeeRecipient
, andsetGladiusReactor
functions.Code Snippet
https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/fee-controllers/RubiconFeeController.sol#L39-L48
https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/reactors/BaseGladiusReactor.sol#L40-L46
Tool used
Manual review
Recommendation
Add a require statement to each initialize function to verify that the function is called by the contract owner only, and post verification roles should be setup. Otherwise, setting the owner in the contract’s constructor to the
msg.sender
and adding theonlyOwner
modifier to all initializers would be enough for access control.