Cool Fleece Gazelle
medium
A malicious actor can front run the initialization of the AlchemicTokenV2Base
and CrossChainCanonicalBase
giving them full admin rights
These contracts can be front-run if the following conditions are met:
- The contract is deployed but not yet initialized.
- The transaction calling initialize is visible in the mempool and not yet mined.
- There are no additional access controls on the initialize function.
Malicious users would gain full access control of the contracts
Manual Review
Ensure that CrossChainCanonicalAlchemicTokenV2::initialize
is being called in the same transaction the contract is being deployed and/or make the contract Owanable
and add the onlyOwner
modifier to the initialization function so only a trusted user can call it.