Full Report
88mph had an initialization function without the onlyOwner() modifier. Additionally, there was no check to ensure that a contact wasn't double initialized. Three of the pool contracts were vulnerable to this. This means that ANYBODY could have became the owner of the contract. Using this, an attacker could steal other users NFTs and deposits as well as call mint() and burn() to add value to themselves. To do fix this bug, they had to steal all of the funds, upgrade the contract then fix the money back. Yikes... I hate this world. Regardless, a very simple access control bug from an apparently unaudited contract.
Analysis Summary
# Vulnerability: 88mph Unprotected Initializer Access Control
## CVE Details
- **CVE ID**: N/A (DeFi smart contract vulnerabilities often lack formal CVE assignments)
- **CVSS Score**: 10.0 (Critical - estimated based on direct impact on funds and ownership)
- **CWE**: CWE-287: Improper Authentication / CWE-670: Always-Incorrect Control Flow Implementation
## Affected Systems
- **Products**: 88mph DeFi Protocol (NFT and Pool contracts)
- **Versions**: Specific pools active prior to June 8, 2021.
- **Configurations**: The following contract addresses were identified as vulnerable:
- yaLINK Pool: `0x904F81EFF3c35877865810CCA9a63f2D9cB7D4DD`
- yaLINK Pool Deposit: `0xF0b7DE03134857391d8D43Ed48e20EDF21461097`
- Harvest CRV:STETH Pool: `0x303CB7Ede0c3AD99CE017CDC3aBAcD65164Ff486`
- Harvest CRV:STETH Pool Deposit: `0x6a76f1c362f2C871BEB9d930c9eFd02B07841A28`
- Harvest CRV:RENWBTC Pool: `0x22E6b9A65163CE1225D1F65EF7942a979d093039`
- Harvest CRV:RENWBTC Pool Deposit: `0xa08b1215ff7Ad33fa431E35569F95F684Cd9Bf9c`
## Vulnerability Description
The vulnerability stems from an unprotected `init()` function within the 88mph NFT smart contracts. This function, which establishes the owner of the contract, lacked both the `onlyOwner` access control modifier and a logic check (initializer modifier) to prevent the function from being executed more than once. Consequently, any external actor could call the `init()` function at any time to overwrite the contract owner with their own address.
## Exploitation
- **Status**: Exploited in a controlled "whitehack" to secure funds; PoC validated during disclosure.
- **Complexity**: Low
- **Attack Vector**: Network (Blockchain transaction)
## Impact
- **Confidentiality**: Low
- **Integrity**: Critical (Complete takeover of contract ownership)
- **Availability**: High (Ability to burn user NFTs and block deposit/funding functions)
- **Financial**: Total loss of funds ($6.5M was at risk) as an attacker could call privileged `mint()` and `burn()` functions to drain assets.
## Remediation
### Patches
- **V3 Deployment**: 88mph deprecated the affected contracts in favor of its V3 platform.
- **Code Correction**: To fix similar issues, developers must either:
1. Use a standard `constructor` instead of an `init()` function for non-upgradeable contracts.
2. Apply an `onlyOwner` modifier to the initialization function.
3. Implement an `initializer` check (e.g., OpenZeppelin’s `Initializable`) to strictly limit the function to a single execution.
### Workarounds
- **Emergency Pause**: The protocol team deployed a "dummy minter" contract that reverted all calls, effectively freezing the vulnerable functions to prevent front-running by attackers while they secured the funds.
## Detection
- **Indicators of Compromise**: Multiple calls to `init()` functions after the contract has been deployed; unexpected changes in the `owner()` address of the contract.
- **Detection Methods**: Smart contract security scanners (e.g., Slither, Mythril) often flag unprotected initialization functions as high-risk issues. Monitoring blockchain events for `OwnershipTransferred` logs or unexpected administrative calls.
## References
- Immunefi Original Report: hxxps://medium[.]com/immunefi/88mph-function-initialization-bugfix-review-c3a2282894d3
- Vulnerable Code Reference: hxxps://github[.]com/88mphapp/88mph-contracts/blob/a4c48d61661ae3d8ce5aadfda6e4de27c4f07a9e/contracts/NFT[.]sol#L39
- Whitehack Transaction: hxxps://etherscan[.]io/txs?a=0x7fdef304e2d4b464a745042f8db5abad277d3f11