20,000 USDC
View results
Submission Details
Severity: medium
Valid

Lack of Two Steps Verification before Transferring Ownership

Summary

Lack of two-step procedure for critical operations leaves them error-prone. Consider adding two step procedure (transfer and accept) on the critical functions.

Vulnerability Details

The Ownable contract doesn't employ a two step transfer pattern which can be considerable valid issue when the admin or owner wrongly input a wrong address. When this happen, the contract would instantly effecting the protocol, as the owner is now renounced.

File: Ownable.sol
19: function transferOwnership(address _owner) public virtual onlyOwner {
20: owner = _owner;
21: emit OwnershipTransferred(msg.sender, _owner);
22: }

Impact

When wrong input is entered, the admin / owner will be renounced, any future changes such as changing configuration will not be available anymore.

Tools Used

Manual analysis

Recommendations

Recommend considering implementing a two step process where the owner or admin nominates an account and the nominated account needs to call an acceptOwnership() function for the transfer of ownership to fully succeed. This ensures the nominated EOA account is a valid and active account.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.