Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Example String-Passing Solana OApp>Informational findings>Initialization can be front-run
GeneralOverview
Findings
Informational (2)Initialization can be front-runAmbiguous state initialization
Threat ModelWhat are threat models?MyOApp.solprogram
Audit ResultsAssessment Results
Category: Business Logic

Initialization can be front-run

Informational Impact
Low Severity
Low Likelihood

Description

The InitStore instruction initializes a singleton PDA holding the OApp configuration and registers the OApp with LayerZero. The instruction also sets the admin for the OApp.

The instruction can only be invoked once, and it could be front-run if program deployment and OApp initialization are not performed in the same transaction.

Impact

The OApp initialization could be front-run, initializing the OApp with incorrect administrator and LayerZero endpoint addresses and requiring a redeployment of the program.

Recommendations

This low-likelihood threat is acceptable for most use cases; we recommend to consider documenting this as a potential issue for high-risk, high-value targets, such as DEXes or oracles.

Remediation

This finding has been acknowledged by LayerZero Labs, Inc., and was addressed in commit by adding a comment explaining the risk to the InitStore instruction.

Zellic © 2025Back to top ↑