Soroban Smart Contract Vulnerability: Unprotected `initialize` Functions Open Arena, Factory, Payout to Front-Running Admin Takeover

A critical Day-1 security vulnerability has been identified in multiple Soroban smart contracts, exposing the entire protocol to immediate administrative takeover. The `initialize` functions within the Arena, Factory, and Payout contracts are publicly callable by any address. This design flaw allows any observer of the contract deployment transaction on the ledger to front-run the legitimate deployment process. By calling `initialize` with their own address specified as the `admin` parameter, an attacker can instantly seize full administrative control of the contracts before the intended deployer can act.

The vulnerability is present in the core contract files: `contract/arena/src/lib.rs`, `contract/factory/src/lib.rs`, and `contract/payout/src/lib.rs`. The absence of a deployer authorization check—a common safeguard in other ecosystems—leaves these functions completely open. In the Soroban environment, which lacks a native `msg.sender` mechanism for deployer restriction, this oversight creates a direct path for an attacker to gain privileges that typically allow pausing or upgrading contracts, effectively compromising the protocol from its inception.

This is not a theoretical risk but a highly critical operational threat. The successful exploitation of this flaw would grant an attacker unilateral control over the contract suite, enabling them to halt operations, drain funds, or modify logic. The proposed mitigation involves implementing a manual deployer auth check within the initialization logic or having the factory contract handle the initialization of child arenas to enforce a trusted call path. Until this fix is deployed, the affected contracts remain vulnerable to a front-running attack that could result in a complete loss of administrative authority.