search

sherlock-audit / 2024-05-beefy-cowcentrated-liquidity-manager-judging

5 stars 5 forks source link

no - No Protection of Uninitialized Implementation Contracts From Attacker #115

Closed sherlock-admin4 closed 2 months ago

sherlock-admin4 commented 2 months ago

no

medium

No Protection of Uninitialized Implementation Contracts From Attacker

Summary

No Protection of Uninitialized Implementation Contract From Attacker

Vulnerability Detail

In the contract StrategyPassiveManagerVelodrome implements Openzeppelin’s Upgradeable model, uninitialized implementation contract can be taken over by an attacker with initialize function, it’s recommended to invoke the _disableInitializers function in the constructor to prevent the implementation contract from being used by the attacker. However the contract which implements PausableUpgradeable and OwnableUpgradeable do not call _disableInitializers in the constructors

Impact

Uninitialized implementation contract can be taken over by an attacker with initialize function. Conduct a phishing scam at this contract address since it was deployed by the Gamma Team.

Code Snippet

https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/main/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L28

Tool used

Manual Review

Recommendation

+ constructor() {
+        _disableInitializers();
+    }
sherlock-admin3 commented 2 months ago

1 comment(s) were left on this issue during the judging contest.

z3s commented:

18