ADMIN_ROLE, ADMIN_DELEGATE_ROLE, and OPERATOR roles at risk
Summary
ADMIN_ROLE, ADMIN_DELEGATE_ROLE, and OPERATOR roles at risk as initialize(...)can be front-run.
Vulnerability Detail
ADMIN_ROLE, ADMIN_DELEGATE_ROLE, and OPERATOR roles at risk as initialize(...)can be front-run since anyone can call initialize(...) because of a lack of _disableInitializers() in the constructor. initialize(...) cannot be called a 2nd time even though initializer() modifier is not used, and that's because of the configurator variable that is set when initialize(...) is first called by the attacker.
Impact
All functions that should be only callable by admin or operator can be called by the attacker, the ones calling _requireAdmin()and using the modifiers atLeastOperator() and onlyAdmin(). The attacker will be able to configure the vault to his liking, add and remove tokens and modules, process withdrawls when he wants and more. He's in complete control of the protocol
0xjarix
High
ADMIN_ROLE
,ADMIN_DELEGATE_ROLE
, andOPERATOR
roles at riskSummary
ADMIN_ROLE
,ADMIN_DELEGATE_ROLE
, andOPERATOR
roles at risk asinitialize(...)
can be front-run.Vulnerability Detail
ADMIN_ROLE
,ADMIN_DELEGATE_ROLE
, andOPERATOR
roles at risk asinitialize(...)
can be front-run since anyone can callinitialize(...)
because of a lack of_disableInitializers()
in the constructor.initialize(...)
cannot be called a 2nd time even thoughinitializer()
modifier is not used, and that's because of the configurator variable that is set wheninitialize(...)
is first called by the attacker.Impact
All functions that should be only callable by admin or operator can be called by the attacker, the ones calling
_requireAdmin()
and using the modifiersatLeastOperator()
andonlyAdmin()
. The attacker will be able to configure the vault to his liking, add and remove tokens and modules, process withdrawls when he wants and more. He's in complete control of the protocolCode Snippet
https://github.com/sherlock-audit/2024-06-mellow/blob/main/mellow-lrt/src/security/Initializer.sol#L14
Tool used
Manual Review
Recommendation
Fix the bug by adding
_disableInitializers()
to the constructor.