Lines of code
<https://github.com/code-423n4/2022-07-fractional/blob/main/src/Vault.sol#L24-L29&gt;

Vulnerability details

Impact

Every Vault is a proxy of the same implementation contract. This implementation is deployed from VaultFactory but never initialized.

/// @notice Initializes implementation contract
constructor() {
    implementation = address(new Vault());
}

Someone can call init() in the implementation and become the owner.

/// @dev Initializes nonce and proxy owner
function init() external {
    if (nonce != 0) revert Initialized(owner, msg.sender, nonce);
    nonce = 1;
    owner = msg.sender;
    emit TransferOwnership(address(0), msg.sender);
}

Having total control over the contract, they can delegatecall to a selfdestruct. This basically blocks every Vault functionality.

Proof of Concept

1. Alice calls init() on the Vault’s implementation;
2. she installs a plugin that has a selfdestruct function;
3. she executes that function (using fallback);

Now the implementation contract is destroyed, leading to the loss of functionality of all Vaults.

Recommended Mitigation Steps

init() the implementation after creating it.

The text was updated successfully, but these errors were encountered:

👀 1 ecmendenhall reacted with eyes emoji

All reactions

• 👀 1 reaction