Changing Owner using Ownable
Summary
The developer is using Ownable.sol from Openzeppelin, however according to Openzepplin team, this is no longer considered as secure. It is considered that "Ownable" implementation has a shortcoming that it allows the owner to transfer ownership to a non-existent or mistyped address.
Vulnerability Details
As explained in Discord from Juliaaa, the owner might change from EOA to smart contract and vice versa. Despite the fact that changing an owner is not a frequent activity, if done wrong, it can lead to critical vulnerabilities because of missing access control. "Ownable" is no longer considered safe from Openzepplin team, and according to their documentation its implementation has a shortcoming that it allows the owner to transfer ownership to a non-existent or mistyped address.
Because of that and the discussion in Discord about the owner changes, I think it should be considered as Medium risk.
Impact
It can lead to changing the owner to an address where no access control is possible, therefore destroy the correct functionality of the project.
Tools Used
Manual review
Recommendations
Recommendation is using Ownable2Step which inherits from Ownable but have better security: https://docs.openzeppelin.com/contracts/4.x/api/access#Ownable2Step
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.