Summary

The ProxyFactory contract uses a single-step ownership transfer mechanism that is risky. Due to possible human error, the owner-privileged functions using the onlyOwner modifier can be locked permanently.

Vulnerability Details

The ProxyFactory contract inherits from OpenZeppelin's Ownable contract. The Ownable implements the transferOwnership() that can transfer the ownership of the ProxyFactory contract from a current owner to another.

The transferOwnership() provides a single-step ownership transfer mechanism that is risky. If a (current) owner mistakenly inputs the newOwner param (e.g., an address that is not owned by the new owner is inputted), the new owner will lose ownership of the contract immediately, and this action is unrecoverable.

• Single-step ownership transfer mechanism used by the protocol: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/a5ed318634016a25be4000ee07044a31f363e60c/contracts/access/Ownable.sol#L81-L96

Impact

The following owner-privileged functions using the onlyOwner modifier will be locked permanently.

• setContest()

• deployProxyAndDistributeByOwner()

• distributeByOwner()

To clarify the vulnerability, although only an owner can execute the transferOwnership() and the owner is trusted, the incident can occur by mistake (i.e., this vulnerability is not about any centralization or trust risks; it is about the risks of input mistakes only).

The likelihood is considered LOW (since the owner is expected to do due diligence). The impact is considered HIGH. Therefore, the severity is considered MEDIUM.

Tools Used

Manual Review

Recommendations

Use the OpenZeppelin's Ownable2Step contract instead. The Ownable2Step contract provides a two-step ownership transfer mechanism guaranteeing that the ownership of the ProxyFactory contract will be transferred to a new owner, who can access their account for real.