Platform: Code4rena
Start Date: 13/05/2022
Pot Size: $30,000 USDC
Total HM: 8
Participants: 65
Period: 3 days
Judge: hickuphh3
Total Solo HM: 1
Id: 125
League: ETH
Rank: 47/65
Findings: 1
Award: $44.75
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x4non, 0xNazgul, 0xf15ers, 0xkatana, 0xliumin, AlleyCat, BouSalman, Dravee, Funen, GimelSec, Hawkeye, MaratCerby, Picodes, StErMi, TerrierLover, WatchPug, Waze, berndartmueller, bobirichman, cryptphi, csanuragjain, defsec, delfin454000, dipp, fatherOfBlocks, hake, hickuphh3, hyh, joestakey, kebabsec, mics, mtz, oyc_109, p4st13r4, p_crypt0, robee, rotcivegaf, sikorico, simon135, sorrynotsorry, tintin
44.7498 USDC - $44.75
Low Risk ...............................................................
initialize function that initializes important contract state can be called by anyone.
See:##Impact## The attacker can initialize the contract before the legitimate deployer, hoping that the victim continues to use the same contract.
##Recommended Mitigation Steps##
Use the constructor to initialize non-proxied contracts.
For initializing proxy contracts deploy contracts using a factory contract that immediately calls initialize after deployment or make sure to call it immediately after deployment and verify the transaction succeeded.
2. Missing critical events and emits
YieldManager.setCurvePool() , YieldManager.registerAsset(), YieldManager.setExchangeToken(), LidoVault._withdrawFromYieldPool() and other withdraw functions
Manual review
Add emit for the appropriate event for this function.
#0 - HickupHH3
2022-06-06T07:38:55Z
Low: missing approve(0) NC: init frontrunning, event emission, zero address check