Punk Protocol Re-initialize
Total Losses
$8.9M+
Date
Network
Categories
access control reinitializationStep-by-step
- Call
initialize
to set your ownforge_
address - Call
withdrawToForge
to withdraw tokens
Detailed Description
The Punk protocol pools did not prevent someone from calling initialize
after
the contracts were already initialized.
The attacker called initialize
through the proxy and set their own forge_
address, which allowed them to later call withdrawToForge
, which, as the name implies, withdraws all the funds to the forge address.
function initialize(
address forge_,
address token_,
address cToken_,
address comp_,
address comptroller_,
address uRouterV2_ ) public {
}
Possible mitigations
initialize
functions should always be protected so they can be called only once