Clever Pink Bat - Front-runable initializer

[sherlock-admin4]

Clever Pink Bat

Low/Info

Front-runable initializer

Summary

The contract initializer lacks access controls, allowing anyone to initialize it. This vulnerability enables malicious users to front-run the initialize() call with incorrect parameters.

Vulnerability Detail

If the initializer is not executed in the same transaction as the constructor, a malicious user can front-run the initialize() call, forcing the contract to be redeployed. contract initializer is missing access controls, allowing users to initialize the contract. By front-running the contract deployers to initialize the contract, the incorrect parameters may be supplied, leaving the contract needing redeployed.

Impact

High risk of misconfiguration, requiring contract redeployment.

Code Snippet

https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/main/leveraged-vaults-private/contracts/vaults/staking/BaseStakingVault.sol#L60

 function initialize(string memory name, uint16 borrowCurrencyId) public virtual initializer {
        __INIT_VAULT(name, borrowCurrencyId);
        // Double check to ensure that these tokens are matching
        require(BORROW_TOKEN == address(_underlyingToken()));

        _initialize();
    }

initialize function does not have access control. That is vulnerable to front-running.

Tool used

Manual Review

Recommendation

Setting the owner in the contract's constructor to the msg.sender and adding the onlyOwner modifier to all initializers would be a sufficient level of access control.

[sherlock-admin3]

1 comment(s) were left on this issue during the judging contest.

0xmystery commented:

This issue is invalid according to sherlock rules