You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
initialize() functions are front-runnable due to missing access control
Summary
There are no access control checks on initialize() functions used to configure the protocol during the deployment.
An attacker could front-run the deployment process and call initialize() functions to set their own parameters, e.g.
set arbitrary implementation and token addresses or modify intended ownerships.
Impact:
Initializers could be front-run, allowing an attacker to either set their values, take ownership of the contract, and in the best case force a re-deployment.
Root Cause
The affected contracts include (note, the list below should not be considered exhaustive):