Skip to content

Latest commit

 

History

History
47 lines (39 loc) · 1.76 KB

File metadata and controls

47 lines (39 loc) · 1.76 KB

Punk Protocol Re-initialize

Step-by-step

  1. Call initialize to set your own forge_ address
  2. Call withdrawToForge to withdraw tokens

Detailed Description

The Punk protocol pools did not prevent someone from calling initialize after the contracts were already initialized.

The attacker called initialize through the proxy and set their own forge_ address, which allowed them to later call withdrawToForge, which, as the name implies, withdraws all the funds to the forge address.

    function initialize( 
        address forge_, 
        address token_,
        address cToken_, 
        address comp_, 
        address comptroller_,
        address uRouterV2_ ) public {
    }

Possible mitigations

  • initialize functions should always be protected so they can be called only once

Diagrams and graphs

Entity and class diagram

PlantUML

Sources and references