[Lines of code](https://github.com/code-423n4/2023-04-eigenlayer/blob/5e4872358cd2bda1936c29f460ece2308af4def6/src/contracts/core/StrategyManager.sol#L146-L155) # Vulnerability details ## Impact Most of the smart contracts have an initialize() function that anyone can call as initialize() function visibility is either external or public. This could lead to a race condition when the contract is deployed. At that moment a hacker or attacker could call the initialize() function and make the deployed contracts useless. Then it would have to be redeployed again which will be costing a lot of gas. If the attacker calls initialize() on a contract that has already been referenced by a previous contract, the attacker causes that contract to be rendered useless as well. Since initialize() can only be called once, and then it is locked forever, a successful attack leaves the entire contract useless. If the attacker successfully access the initialize function then the following major things can be exploited. 1)Contracts can lose ownership to attacker address. 2)Contract can lose funds to attacker address as the withdrawal function will be called by an attacker. 3)WithdrawalDelayBlocks which is the delay enforced by the contract for completing any delayedWithdrawal can be changed by an attacker. 4)strategyWhitelister address can be changed. 5)Attacker will have control on _initializePauser function. 6)_underlyingToken can be changed. 7)Attacker will have an access on _updateBeaconChainOracle function, etc. Note: The attacker may access any contract initialize() function at once or may access selective smart contract which can cause great damage like funds or ownership control. This is briefly explained in below POC. ## Proof of Concept Alice sees that the EigenLayer team is in the process of deploying their contracts. Alice calls initialize() on each contract as it is deployed, supplying junk data or desired data to the arguments. This wastes EigenLayer team time and money. Below smart contracts initialize() function can be called by anyone. The internal functions called by the initialize() function also does not have owner/admin access control. 1)In StrategyManager.sol, File: src/contracts/core/StrategyManager.sol 146 function initialize(address initialOwner, address initialStrategyWhitelister, IPauserRegistry _pauserRegistry, uint256 initialPausedStatus, uint256 _withdrawalDelayBlocks) 147 external 148 initializer 149 { 150 DOMAIN_SEPARATOR = keccak256(abi.encode(DOMAIN_TYPEHASH, keccak256(bytes("EigenLayer")), ORIGINAL_CHAIN_ID, address(this))); 151 _initializePauser(_pauserRegistry, initialPausedStatus); 152 _transferOwnership(initialOwner); 153 _setStrategyWhitelister(initialStrategyWhitelister); 154 _setWithdrawalDelayBlocks(_withdrawalDelayBlocks); 155 } [Link to code]() Here the initialize function is external with no access control check which means it can be accessed by anyone. The initialize function has all internal functions which does not have any access control check which can be verified in below links, [Link to _initializePauser(..)]() [Link to _setStrategyWhitelister(..)]() [Link to _setWithdrawalDelayBlocks(..)]() File: @openzeppelin-upgrades/contracts/access/OwnableUpgradeable.sol 83 function _transferOwnership(address newOwner) internal virtual { 84 address oldOwner = _owner; 85 _owner = newOwner; 86 emit OwnershipTransferred(oldOwner, newOwner); 87 } [Link to _transferOwnership(..)]() As seen, the values of these state variables can be set as access control checks are missing in these internal functions too. One of the major thing here is transferOwnership which is also an internal function obtained from openzeppelin as shown above can be used to transfer the ownership by attacker/hacker easily. It must be noted that "Ownership of StrategyManager contract is getting transferred to the initialOwner i.e attacker address." 2)In StrategyBase.sol, File: src/contracts/strategies/StrategyBase.sol 51 function initialize(IERC20 _underlyingToken, IPauserRegistry _pauserRegistry) public virtual initializer { 52 _initializeStrategyBase(_underlyingToken, _pauserRegistry); 53 } [Link to code]() Here the initialize() function is public with no access control check which means it can be accessed by anyone. It has also [_initializeStrategyBase(..) function]() which is an internal function with no access control check. the underlaying token address can changed by an attacker/hacker. The underyling token is used for shares in the Strategy. 3)In EigenPod.sol, File: src/contracts/pods/EigenPod.sol 152 function initialize(address _podOwner) external initializer { 153 require(_podOwner != address(0), "EigenPod.initialize: podOwner cannot be zero address"); 154 podOwner = _podOwner; 155 } [Link to code]() Here the initialize() function is external with no access control checks. It is used to set the podOwner which is the owner of the EigenPod. The function only checks address(0) validation and it can be easily set to desired address as podOwner by an attacker. If the attacker set the desired podOwner address then the smart contract funds will be at risk. It can be transferred by an attacker as he will the new owner of the EigenPod.sol contract. withdrawBeforeRestaking() function using [onlyEigenPodOwner modifier]() will be greatly affected as below, File: src/contracts/pods/EigenPod.sol 454 function withdrawBeforeRestaking() external onlyEigenPodOwner hasNeverRestaked { 455 mostRecentWithdrawalBlockNumber = uint32(block.number); 456 _sendETH(podOwner, address(this).balance); 457 } [Link to code]() This function is called by the pod owner to withdraw the balance of the pod when hasRestaked is set to false. It means the entire EigenPod.sol contract balance will be transferred to podOwner address i.e attacker/hacker address. This is direct loss of funds by an attacker so the finding severity is set to high with explanation provided as above. 4)In EigenPodManager.sol, File: src/contracts/pods/EigenPodManager.sol 84 function initialize( 85 IBeaconChainOracle _beaconChainOracle, 86 address initialOwner, 87 IPauserRegistry _pauserRegistry, 88 uint256 _initPausedStatus 89 ) external initializer { 90 _updateBeaconChainOracle(_beaconChainOracle); 91 _transferOwnership(initialOwner); 92 _initializePauser(_pauserRegistry, _initPausedStatus); 93 } [Link to code]() Here initialize() function is external with no access control check. It also has internal functions with no access control which means the state variables can be set or updated easily by an attacker. It can be referred by checking the [_initializePauser(..)]() and [_updateBeaconChainOracle(..)]() As explained above how the attacker can use [_transferOwnership(..)]() to transfer the ownership of contract i.e initialOwner which will ofcourse set by attacker will become the owner of EigenPodManager.sol contract. 5)In DelayedWithdrawalRouter.sol, File: src/contracts/pods/DelayedWithdrawalRouter.sol 49 function initialize(address initOwner, IPauserRegistry _pauserRegistry, uint256 initPausedStatus, uint256 _withdrawalDelayBlocks) external initializer { 50 _transferOwnership(initOwner); 51 _initializePauser(_pauserRegistry, initPausedStatus); 52 _setWithdrawalDelayBlocks(_withdrawalDelayBlocks); 53 } [Link to code]() Here the initialize() function is also external with no access control check means it can be accessed by anyone. It has also internal functions which does not have any access control check meaning the variables can set or updated by attacker is easily. These can be checked here [_transferOwnership(..)]() and [_initializePauser(..)]() and [_setWithdrawalDelayBlocks(..)]() . These can also be exploited by attacker similarly as explained above. Reference for closely similar findings in Vader Protocol audit by code4rena- [Link to audit reference]() Reference for closely similar findings from Trail of Bits audit of Hermez Network(see finding [#12](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/12>)): [Link to audit reference](