Critical Vulnerability in Rewards Contract: Missing Authentication Allows Front-Running Attack

A critical security flaw has been identified in a blockchain rewards contract, exposing it to a front-running attack that could allow an attacker to seize control of the system and drain funds. The vulnerability resides in the contract's `initialize` function, which lacks any authentication check. This allows any observer of the contract deployment to race to call the function with attacker-controlled addresses before the legitimate deployer can do so.

The issue is located in the `contracts/rewards/src/lib.rs` file. The `initialize` function, which sets the crucial token address, quest contract address, and milestone contract address, proceeds without calling `require_auth()`. An attacker exploiting this could set the `token_addr` to a token they control and point the `quest_contract_addr` to a malicious contract designed to always designate the attacker as the quest owner. This combination would enable the draining of any funds deposited into the system later. The vulnerability is compounded by a one-time guard (`AlreadyInitialized`), meaning the legitimate deployer cannot rectify the situation after a successful attack.

The suggested fix is to add an `admin: Address` parameter to the `initialize` function and call `admin.require_auth()` at its start, mirroring the secure pattern already used in the project's milestone contract. This oversight highlights the severe risks of missing basic access controls in smart contract deployment, where a single unprotected function can compromise an entire financial system.