fix: restrict contract initialization to authorized deployer only#307
Merged
hman38705 merged 1 commit intoMar 27, 2026
Merged
Conversation
- Add e.deployer().require_auth() as the first check in initialize() - Prevents front-running attacks where an attacker monitors deployment and races to call initialize() with their own admin address - Only the deployer's signed transaction can pass the auth check - Add test_initialize_rejects_non_deployer to verify enforcement Closes solutions-plug#28
|
@Fidelis900 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Title: fix: restrict contract initialization to authorized deployer only
Body:
Summary
Fixes #28 — Protect Contract Initialization from Front-Running
The initialize function was callable by any address as long as the contract hadn't been initialized yet. An attacker
could monitor the mempool, detect a deployment, and race to call initialize with their own address as admin.
Changes
deployer's cryptographically signed transaction can succeed — the race is irrelevant because no other address can pass
the auth check.
asserts that an arbitrary attacker address cannot call initialize.
How it prevents the attack
The existing AlreadyInitialized guard only blocks a second call. It offers no protection if the attacker wins the first
call. e.deployer().require_auth() requires the deployer's signature to be present in the transaction, so even a front-
running transaction submitted by another address will be rejected by the Soroban host before any state is written.
Testing
closes #136