Omniscia Echidna Finance Audit
EcdPtpToken Manual Review Findings
EcdPtpToken Manual Review Findings
EPT-01M: Improper Initialize Pattern
Type | Severity | Location |
---|---|---|
Logical Fault | Major | EcdPtpToken.sol:L17-L20 |
Description:
The linked initialize
pattern can cause an on-chain race condition to manifest whereby a malicious user / bot detects the initialize
function execution and instead executes it first with a malicious _operator
.
Example:
contracts/core/EcdPtpToken.sol
17function initialize(address _operator) external {18 require(operator == address(0x0));19 operator = _operator;20}
Recommendation:
We advise the contract to implement the ownable pattern and the function to be invoke-able only by the owner after which ownership is renounced.
Alleviation:
The code was adjusted to instead store a _deployer
variable that is utilized to guard access to the initialize
function thus preventing a race condition from manifesting.