Description
Tricky Carrot Antelope
Medium
Missing onlyInitializing Modifier in __vesting_init Function
Summary
The __vesting_init function in the contract is designed to initialize variables and grant roles to an admin during deployment. However, the function lacks the onlyInitializing modifier, which is crucial when inheriting contracts like symmVesting.sol. Without this modifier, the initialization logic could potentially be called multiple times, leading to unintended reinitialization and overwriting of critical state variables.
Root Cause
Root cause is in the __vesting_init Function of the Vesting.sol contract which lacks an onlyInitializing variable
Internal Pre-conditions
none
External Pre-conditions
none
Attack Path
- attacker calls __vesting_init to re-initiate token variables this is possible because according to open zeppenlin inherited contracts should have the onlyInitializing modifier and not the intializer modifier
Impact
Reinitialization Risk: The absence of the onlyInitializing modifier allows the function to be called multiple times. This could overwrite important state variables and roles, leading to security vulnerabilities and operational issues.
PoC
No response
Mitigation
replace onlyInitializing in _vesting_init to initializer