Lines of code
<https://github.com/code-423n4/2023-02-ethos/blob/73687f32b934c9d697b97745356cdf8a1f264955/Ethos-Vault/contracts/ReaperStrategyGranarySupplyOnly.sol#L62>
<https://github.com/code-423n4/2023-02-ethos/blob/73687f32b934c9d697b97745356cdf8a1f264955/Ethos-Vault/contracts/abstract/ReaperBaseStrategyv4.sol#L63>
<https://github.com/code-423n4/2023-02-ethos/blob/73687f32b934c9d697b97745356cdf8a1f264955/Ethos-Core/contracts/CollateralConfig.sol#L46>
In ReaperStrategyGranarySupplyOnly.sol, the initialize function is not called after deployment.
Left open to unintended behaviour and/or an attacker calling the initialize function, gaining control of
core permissions and functions, as highlighted in the __ReaperBaseStrategy_init.
Manually checked through.
Recommended steps:
constructor(address _vault, address[] memory _strategists, address[] memory _multisigRoles, IAToken _gWant) {
initialize(_vault, _strategists, _multisigRoles, _gWant);
}
modifier onlyOwner() {
require(msg.sender == owner(), "Ownable: caller is not the owner");
_;
}
function initialize(address _vault, address[] memory _strategists, address[] memory _multisigRoles, IAToken _gWant)
public initializer onlyOwner {
gWant = _gWant;
want = _gWant.UNDERLYING_ASSET_ADDRESS();
__ReaperBaseStrategy_init(_vault, want, _strategists, _multisigRoles);
rewardClaimingTokens = [address(_gWant)];
}
The text was updated successfully, but these errors were encountered:
All reactions