DeFi Fixed Rate Generation Protocol 88mph Releases Critical Vulnerability Fix Report for “init()” Function

It’s official, DeFi Fixed Rate Generation Protocol 88mph has released a fix for a critical vulnerability in the “init()” function. The report comes after iosiro security researcher Ashiq Amien disclosed to Immunefi, a smart contract vulnerability bounty platform, that a critical vulnerability was found in 88mph’s CRV:RENWBTC, CRV:STETH and yaLink pools, which is an unprotected “init()” function, and that these specific pools’ The init() function is used to initialize NFT contracts for the 88mph platform. init() is unprotected and can be called multiple times by anyone, allowing a malicious attacker to access any user’s NFT and deposits. Following Immunefi’s disclosure of the vulnerability, 88mph suspended the affected contracts and returned user funds to the eligible owners. 88mph has stated that it will soon deploy its V3 platform, which will abrogate the affected contracts, so an immediate fix is not required. Aware of the potentially devastating impact of the vulnerability, 88mph awarded a $42,069 bounty to iosiro at the request of White Hat.