search

sherlock-audit / 2024-02-telcoin-platform-audit-update-judging

3 stars 1 forks source link

Aamirusmani1552 - `_disableInitializers()` is not called in constructor of `AmirX.sol` #60

Closed sherlock-admin2 closed 8 months ago

sherlock-admin2 commented 8 months ago

Aamirusmani1552

medium

_disableInitializers() is not called in constructor of AmirX.sol

Summary

No call to _disableInitializers() is made in the constructor of the AmirX.sol potentially exposing the tokens to unknown access.

Vulnerability Detail

Openzeppelin recommend to call _disableInitializers() when there is initialize(...) method that is doing some state changes. This is to prevent the implementation contract from being initialized by anybody. But this is not done in the AmirX.sol. That means anyone can initialize the contract now which will give access of the contract to the attacker.

Impact

Can give access to unknown user.

Code Snippet

https://github.com/sherlock-audit/2024-02-telcoin-platform-audit-update/blob/main/telcoin-contracts/contracts/swap/AmirX.sol

https://github.com/sherlock-audit/2024-02-telcoin-platform-audit-update/blob/main/telcoin-contracts/contracts/swap/AmirX.sol#L49C1-L52C6

Tool used

Manual Review

Recommendation

It is recommended to add the disableInitializer() in the constructor.

File: AmirX.sol

+    constructor() public {
+        disableInitializers();
+    }
sherlock-admin4 commented 8 months ago

1 comment(s) were left on this issue during the judging contest.

WangAudit commented:

when the initialize function is called; it triggers the initializer modifier which restricts repeated intialization