Hermez, HermezAuctionProtocol, and WithdrawalDelayer have initialization functions that can be front-run, allowing an attacker to incorrectly initialize the contracts. Due to the use of the delegatecall proxy pattern, Hermez, HermezAuctionProtocol, and WithdrawalDelayer cannot be initialized with a constructor, and have initializer functions.
All these functions can be front-run by an attacker, allowing them to initialize the contracts with malicious values.
Short term, either: 1. Use a factory pattern that will prevent front-running of the initialization, or 2. Ensure the deployment scripts are robust in case of a front-running attack.
Carefully review the Solidity documentation, especially the Warnings section.
Carefully review the pitfalls of using delegatecall proxy pattern.
- ToB Audit Hermez Finding 12
- Configuration
- High Severity
- Front-running
- Initialization Functions
- Factory-pattern
- Atomic Deploy/Init Script
- Youtube Reference
- High Risk severity finding from ToB’s Audit of Hermez