Code4renaCODE423N4:2021-06-POOLTOGETHER-FINDINGS-ISSUES-67Initialization functions can be front-run with malicious values
Handle
0xRajeev
Vulnerability details
Impact
Most contracts have public visibility initialization functions that can be front-run, allowing an attacker to incorrectly initialize the contracts. Due to the use of the delegatecall proxy pattern, PrizePool/YieldSourcePrizePool/StakePrizePool, ControlledToken/Ticket and yield source contracts ATokenYieldSource/IdleYieldSource/YearnV2YieldSource among others cannot be initialized with a constructor, and have initializer functions.
It is not clear (outside scope of current contracts) if/how the deployment of these contracts handles initializations to prevent front-running.
Impact: All these functions can be front-run by an attacker, allowing them to initialize the contracts with malicious values. Also, if not initializations are not done atomically with creation, all public/external functions can be accessed before initialization because there are no checks to confirm initializations in those functions.
Proof of Concept
Reference: See similar High-severity Finding 9 of Trail of Bits audit of Advanced Blockchain: <https://github.com/trailofbits/publications/blob/master/reviews/AdvancedBlockchain.pdf> and Finding 12 from Trail of Bits audit of Hermez Network <https://github.com/trailofbits/publications/blob/master/reviews/hermez.pdf>
Tools Used
Manual Analysis
Recommended Mitigation Steps
Options: 1) Use a factory pattern that will prevent front-running of initializations 2) Ensure deployment scripts are robust in case of a front-running attack. Carefully review the pitfalls of using delegatecall proxy pattern.
The text was updated successfully, but these errors were encountered:
All reactions