Initialization of `CrossChainCanonicalBase` and `AlchemicTokenV2Base` can be front run

Summary

A malicious actor can front run the initialization of the AlchemicTokenV2Base and CrossChainCanonicalBase giving them full admin rights

Vulnerability Detail

These contracts can be front-run if the following conditions are met:

The contract is deployed but not yet initialized.
The transaction calling initialize is visible in the mempool and not yet mined.
There are no additional access controls on the initialize function.

Code Snippet

https://github.com/sherlock-audit/2024-04-alchemix/blob/main/v2-foundry/src/CrossChainCanonicalAlchemicTokenV2.sol#L12-#L17

Impact

Malicious users would gain full access control of the contracts

Tool used

Manual Review

Recommendation

Ensure that CrossChainCanonicalAlchemicTokenV2::initialize is being called in the same transaction the contract is being deployed and/or make the contract Owanable and add the onlyOwner modifier to the initialization function so only a trusted user can call it.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

034.md

034.md

Initialization of `CrossChainCanonicalBase` and `AlchemicTokenV2Base` can be front run

Summary

Vulnerability Detail

Code Snippet

Impact

Tool used

Recommendation

Files

034.md

Latest commit

History

034.md

File metadata and controls

Initialization of CrossChainCanonicalBase and AlchemicTokenV2Base can be front run

Summary

Vulnerability Detail

Code Snippet

Impact

Tool used

Recommendation

Initialization of `CrossChainCanonicalBase` and `AlchemicTokenV2Base` can be front run