Lines of code
<https://github.com/code-423n4/2022-07-fractional/blob/main/src/Vault.sol#L24-L29>
Every Vault is a proxy of the same implementation contract. This implementation is deployed from VaultFactory but never initialized.
/// @notice Initializes implementation contract
constructor() {
implementation = address(new Vault());
}
Someone can call init() in the implementation and become the owner.
/// @dev Initializes nonce and proxy owner
function init() external {
if (nonce != 0) revert Initialized(owner, msg.sender, nonce);
nonce = 1;
owner = msg.sender;
emit TransferOwnership(address(0), msg.sender);
}
Having total control over the contract, they can delegatecall to a selfdestruct. This basically blocks every Vault functionality.
Now the implementation contract is destroyed, leading to the loss of functionality of all Vaults.
init() the implementation after creating it.
The text was updated successfully, but these errors were encountered:
👀 1 ecmendenhall reacted with eyes emoji
All reactions