No Access Control on Contract Initialization in Silo.sol

Question

No Access Control on Contract Initialization in Silo.sol

Closed this issue a year ago · 0 comments

Lines of code

https://github.com/code-423n4/2024-07-loopfi/blob/main/src/Silo.sol#L18-L21

Vulnerability details

Impact

The contract Silo.sol has one common vulnerability related to initializations. The constructor of the contract takes two parameters, _stakingVault and _lpEth, which are then set as immutable state variables, STAKING_VAULT and lpETH respectively.

The issue here is that there is no access control to prevent an unauthorized entity from deploying the contract and being able to initialize it with any arbitrary address.

This could be a potential security risk as it could lead to unauthorized functionality in the contract.

Proof of Concept

https://github.com/code-423n4/2024-07-loopfi/blob/main/src/Silo.sol#L18-L21

constructor(address _stakingVault, address _lpEth) {
    STAKING_VAULT = _stakingVault;
    lpETH = IERC20(_lpEth);
}

Tools Used

Manual Review

Recommended Mitigation Steps

To fix this issue, it would be appropriate to implement an access control check in the constructor function to ensure that only authorized addresses are able to initialize the contract.

This can be achieved by checking the msg.sender against a list of authorized addresses or by integrating a widely used access control standard like OpenZeppelin's Ownable or AccessControl.

Assessed type

Access Control