Single Step Ownership change
Summary
Ownable contract does not do 2step change of ownership
Vulnerability Details
Ownable.sol line 19
function transferOwnership(address _owner) public virtual onlyOwner {
owner = _owner;
emit OwnershipTransferred(msg.sender, _owner);
}
There is no check that any address that is added as _owner has control of keys
Worse there is no address(0) check when transferring ownership
Ownable is inherited by Beedle.sol and Lender.sol which have critical functions like setting fees, setting fee addresses and minting of Beedle token.
Impact
High:
Zero address may easily be passed into transferOwnership maliciously or by error. Addresses that have lost control of private keys can also be made owner leading to contracts relying on this not having ownership so functions like minting tokens, adjusting lending and borrowing fees, setting Receiver fees address can no longer function.
However the above may be reduced to lower impact in the case it is the preferred design so that contracts can be moved to address(0) as a form of renounceOwnership to remove centralization of the protocol. Given documentation does not say anything its not clear. Also, in the documentation it is not clear if the ownership will be Governance but there is indication of Lender.sol line 78 that contracts and onlyOwner functions are controlled by governance. If that is the case, this risk falls to lower level of transfer ownership to address without control keys as likely change will be to new Governance contract.
It's still however possible if there is need to upgrade Governance contract and mistakes can be made in transferOwnership passing zero address or wrong address; leading to contracts losing ownership. Project then loses Governance over the protocol so this is still a Medium to High Issue.
Tools Used
Manual Analysis
Recommendations
It is recommended that Ownable contract be replaced with Ownable2Step contract from OpenZeppelin or code such functionality in the existing Ownable contract to ensure new suggested owner can claim the ownership.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.