Home - Coinspect Security

Punk Protocol Re-initialize

Total Losses

$8.9M+

Date

Network

ethereum logo ethereum

Categories

access control reinitialization

Step-by-step

  1. Call initialize to set your own forge_ address
  2. Call withdrawToForge to withdraw tokens

Detailed Description

The Punk protocol pools did not prevent someone from calling initialize after the contracts were already initialized.

The attacker called initialize through the proxy and set their own forge_ address, which allowed them to later call withdrawToForge, which, as the name implies, withdraws all the funds to the forge address.

    function initialize(
        address forge_,
        address token_,
        address cToken_,
        address comp_,
        address comptroller_,
        address uRouterV2_ ) public {
    }

Possible mitigations

  • initialize functions should always be protected so they can be called only once