Tame Menthol Condor

Medium

initialize() functions are front-runnable due to missing access control

Summary

There are no access control checks on initialize() functions used to configure the protocol during the deployment. An attacker could front-run the deployment process and call initialize() functions to set their own parameters, e.g. set arbitrary implementation and token addresses or modify intended ownerships.

Impact:

Initializers could be front-run, allowing an attacker to either set their values, take ownership of the contract, and in the best case force a re-deployment.

Root Cause

The affected contracts include (note, the list below should not be considered exhaustive):

https://github.com/sherlock-audit/2024-08-morphl2/blob/main/morph/contracts/contracts/l1/L1CrossDomainMessenger.sol#L84

https://github.com/sherlock-audit/2024-08-morphl2/blob/main/morph/contracts/contracts/l1/gateways/EnforcedTxGateway.sol#L58

https://github.com/sherlock-audit/2024-08-morphl2/blob/main/morph/contracts/contracts/l1/gateways/L1CustomERC20Gateway.sol#L52

https://github.com/sherlock-audit/2024-08-morphl2/blob/main/morph/contracts/contracts/l1/gateways/L1ERC721Gateway.sol#L51

https://github.com/sherlock-audit/2024-08-morphl2/blob/main/morph/contracts/contracts/l1/gateways/L1ERC1155Gateway.sol#L51

https://github.com/sherlock-audit/2024-08-morphl2/blob/main/morph/contracts/contracts/l1/rollup/Rollup.sol#L142

https://github.com/sherlock-audit/2024-08-morphl2/blob/main/morph/contracts/contracts/l2/staking/Distribute.sol#L77

https://github.com/sherlock-audit/2024-08-morphl2/blob/main/morph/contracts/contracts/l2/staking/Gov.sol#L98

https://github.com/sherlock-audit/2024-08-morphl2/blob/main/morph/contracts/contracts/l2/staking/L2Staking.sol#L119

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

No response

PoC

No response

Mitigation

No response