Platform: Code4rena
Start Date: 08/06/2022
Pot Size: $115,000 USDC
Total HM: 26
Participants: 72
Period: 11 days
Judge: leastwood
Total Solo HM: 14
Id: 132
League: ETH
Rank: 56/72
Findings: 1
Award: $142.27
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: BowTiedWardens
Also found by: 0x1f8b, 0x29A, 0x52, 0xNazgul, 0xNineDec, 0xf15ers, 0xkatana, 0xmint, Chom, ElKu, Funen, IllIllI, JMukesh, Jujic, Kaiziron, Lambda, MiloTruck, Ruhum, SmartSek, SooYa, TerrierLover, TomJ, WatchPug, Waze, _Adam, asutorufos, auditor0517, bardamu, c3phas, catchup, cccz, ch13fd357r0y3r, cloudjunky, cmichel, cryptphi, csanuragjain, defsec, fatherOfBlocks, hansfriese, hyh, jayjonah8, joestakey, k, kenta, obtarian, oyc_109, robee, sach1r0, shenwilly, simon135, slywaters, sorrynotsorry, tintin, unforgiven, xiaoming90, zzzitron
142.2658 USDC - $142.27
An attacker could Double Initialize the Diamond Init contract due to unsafe checks.
Remixd and Remix
There is no Standard Initializer modifier on init function. It seems the contract sets the s.initalized = true but this cannot be a valid check because I was able to call it multiple times on testing.
Use Initializer modifier on Openzepplin library.
#0 - LayneHaber
2022-06-26T01:15:05Z
#1 - 0xleastwood
2022-08-02T05:06:46Z
I disagree with the validity of this finding. init() can be called multiple times, but subsequent calls to this function have no affect on the state of the contract. Hence, I will downgrade this to QA.