Access Control Issues
Summary
Beedle.sol , Lender.sol and Staking.sol inherit from an Ownable abstract contract and not from OpenZeppelin's battle tested implementation of Ownable
Vulnerability Details
Ownable.sol in this protocol is an abstract contract and it is an implementation of the developers. It is best to use battle tested libraries like Ownable.sol from Open Zeppelin. In the Ownable.sol contract the onlyOwner() modifier is implemented. The owner address is set in the constructor and there is a missing zero address check to prevent the possibility of initiating the contract without an owner. This can lead to huge consequences because if the owner is initiated to address(0) beedle tokens won't be able to be minted or burned since the owner is the only one who can do that.This is valid only for the time period in which transferOwnerShip(address _owner) is not called after falsely initiating the contract without an owner. transferOwnership() is callable only by the current owner , however if this is address(0) then the function is not callable.
Impact
This could lead to the protocol not being able to work as expected.
Tools Used
Manuel Review
Recommendations
Consider using Open Zeppelin's Ownable library. Ownable2Step is even a better choise as it offers a 2 step method of transfering ownership which is considered generally safer.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.