Unsafe Ownership Transfer
Summary
This vulnerability highlights the potential risk of a smart contract losing its ownership when the owner mistakenly transfers ownership to an unintended address by invoking the transferOwnership function.
Vulnerability Details
The problem arises when the owner, who can legitimately transfer ownership, selects the wrong address by mistake. This unintended transfer can leave the contract with an unintended owner, and rectifying this situation can be difficult.
Impact
-
Accidental Ownership: The contract may end up with an unintended owner, causing operational and security issues.
-
Loss of Control: The intended owner may lose control over the contract and its assets.
-
Risk of Misuse: An unintended owner might misuse their power or make unauthorized changes to the contract, affecting its functionality.
Tools Used
VS Code: Manual
Recommendations
Implement a two-step ownership transfer process.
In the first step, the current owner initiates the transfer, and in the second step, the intended new owner confirms their acceptance of the ownership.
This ensures that both parties are in agreement, reducing the risk of accidental transfers
Moreover, the team can use the extended constract from the Ownable to apply the two-step ownership transfer:
https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/access/Ownable2Step.sol
Lead Judging Commences
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.