initialize functions can be frontrun
#185
Labels
1 (Low Risk)
Assets are not at risk. State handling, function incorrect as to spec, issues with comments
bug
Something isn't working
Comments
code423n4
added
1 (Low Risk)
|
As per deployment script, I think this is valid. |
This was referenced Jan 23, 2022
Closed
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Handle
cmichel
Vulnerability details
The
initializefunction that initializes important contract state can be called by anyone.See:
MintableERC20.initializePolygonERC20Wrapper.initializeImpact
The attacker can initialize the contract before the legitimate deployer, hoping that the victim continues to use the same contract.
In the best case for the victim, they notice it and have to redeploy their contract costing gas.
Recommended Mitigation Steps
Use the constructor to initialize non-proxied contracts.
For initializing proxy contracts deploy contracts using a factory contract that immediately calls
initializeafter deployment or make sure to call it immediately after deployment and verify the transaction succeeded.The text was updated successfully, but these errors were encountered: