Squilliam - [M-4] `Auditor::initialize` can be frontrun due to lack of access control, allowing attackers to grant themselves admin role and manipulate the protocol in many different ways

[sherlock-admin2]

Squilliam

medium

[M-4] Auditor::initialize can be frontrun due to lack of access control, allowing attackers to grant themselves admin role and manipulate the protocol in many different ways

Summary

The initialize function in the EscrowedExa::initialize contract is vulnerable to frontrunning attacks due to lack of access control , allowing attackers to grant themselves admin control and set the liquidation incentive (liquidator and lenders) for the whole ecosystem.

Vulnerability Detail

 function initialize(LiquidationIncentive memory liquidationIncentive_) external initializer {
    __AccessControl_init();

    _grantRole(DEFAULT_ADMIN_ROLE, msg.sender);

    setLiquidationIncentive(liquidationIncentive_);
  }

The code above can be found in ExcrowedExa::initialize and if exactly protocol deploys their contracts and does not identify that they have already been initialized, users could start using a system that was compromised from the start.

If an attacker sees this transaction in the mempool, they can frontrun the transaction with a higher gas pay and call the initialize function before the owner. This would be possible because the initialize function is not protected against frontrunning in the transaction ordering sense. The initializer modifier in Solidity is specifically designed to ensure that a function marked with it can only be invoked once during the contract's initialization phase. The initializer modifier does not provide access control functionality.

Attackers could grant themselves admin role, and set the liquidation incentive (liquidators and lenders) for the whole ecosystem and enable any markets they want with the enableMarket function, can alter the adjust factor for a certain markets with the setAdjustFactor function, change the Chainlink Price Feed Aggregator source for markets with the setPriceFeed()

Impact

Attackers could exploit the vulnerability to grant themselves admin control, potentially allowing them to manipulate the system to their advantage. This could lead to unauthorized withdrawals or transfers of funds from the contract, resulting in financial losses for users. Attackers whom give themselves the admin role can do the following:

setLiquidationIncentive: The attacker can adjust the liquidation incentive, which affects the rewards for liquidators and lenders. By changing this incentive, they can influence the behavior of liquidators and potentially manipulate liquidation events.

enableMarket: By enabling or disabling markets, the attacker can manipulate which markets are available for trading, potentially favoring or disfavoring certain assets.

setAdjustFactor: The attacker can set the adjust factor for a market, which affects the calculation of collateralization ratios and liquidation thresholds. This could be used to manipulate the liquidation risk for specific assets.

setPriceFeed: The attacker can change the price feed source for a market, potentially using a manipulated or unreliable source to influence asset prices. This could lead to inaccurate collateral valuations and unfair liquidations.

In summary, an attacker taking control of the admin role through a front-running attack on the initialize function can significantly disrupt the protocol's operations and potentially manipulate markets, asset prices, and liquidation events to their advantage.

Code Snippet

This initialize function vulnerability can be found here: https://github.com/sherlock-audit/2024-04-interest-rate-model/blob/main/protocol/contracts/Auditor.sol?plain=1#L53-L59

The enableMarket function can be found here: https://github.com/sherlock-audit/2024-04-interest-rate-model/blob/main/protocol/contracts/Auditor.sol?plain=1#L344-L367

The setAdjustFactor function can be found here: https://github.com/sherlock-audit/2024-04-interest-rate-model/blob/main/protocol/contracts/Auditor.sol?plain=1#L372-L377

The setPriceFeed function can be found here: https://github.com/sherlock-audit/2024-04-interest-rate-model/blob/main/protocol/contracts/Auditor.sol?plain=1#L382-L386

The setLiquidationIncentive function can be found here: https://github.com/sherlock-audit/2024-04-interest-rate-model/blob/main/protocol/contracts/Auditor.sol?plain=1#L390-L395

Tool used

Manual Review

Recommendation

Implement valid access control on the initialize() to ensure only the relevant deployer can initialize such as an onlyOwner modifier or automatically call initialize in your deploy function in your setup.

[santipu03]

This issue is marked as invalid according to the Sherlock guidelines:

Front-running initializers: Front-running initializers where there is no irreversible damage or loss of funds & the protocol could just redeploy and initialize again is not a valid issue.