QA Report #7
Labels
bug
Something isn't working
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Comments
code423n4
added
bug
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
[Low-01] ForgottenRunesWarriorsGuild: The initialize function can be called multiple times
Impact
The initialize function in ForgottenRunesWarriorsGuild contract is not protected with state variables, so the initialize function can be called multiple times.
Proof of Concept
https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsGuild.sol#L52-L54
Tools Used
None
Recommended Mitigation Steps
Set the state variable in the initialize function so that the initialize function can only be called once
[Low-02] Missing event & timelock for critical onlyOwner functions
Impact
Same as code-423n4/2021-09-swivel-findings#101 and code-423n4/2021-11-overlay-findings#120
onlyOwner functions that change critical contract parameters/addresses/state should emit events and consider adding timelocks so that users and other privileged roles can detect upcoming changes (by offchain monitoring of events) and have the time to react to them
Proof of Concept
https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsGuild.sol#L129-L147
https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsMinter.sol#L441-L602
Tools Used
None
Recommended Mitigation Steps
Consider using a timelock for critical params of the system and emitting events to inform the outside world.
The text was updated successfully, but these errors were encountered: