First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

`PuppyRaffle` contract ownership can be transferred to a non-existent address

0xrex

Summary

The PuppyRaffle contract ownership can be transferred to a non-existent address interrupting certain owner-privileged actions such as the ability to set the feeAddress

Vulnerability Details

function changeFeeAddress(address newFeeAddress) external onlyOwner {
feeAddress = newFeeAddress;
emit FeeAddressChanged(newFeeAddress);
}

The changeFeeAddress function as an example, allows the owner to set a fee collection address. In the case the contract ownership is lost due to not enforcing that a new owner confirms ownership as a real account then this function cannot be interacted with by anyone anymore and fees if previously set will just continue accrual to the old address.

@> import {Ownable} from "@openzeppelin/contracts/access/Ownable.sol"; // vulnerable line of code

Impact

Lose owner-privileged actions.

Tools Used

Manual review

Recommendations

Use Ownable2Step instead.

- import {Ownable} from "@openzeppelin/contracts/access/Ownable.sol";
+ import { Ownable2Step } from "@openzeppelin/contracts/access/Ownable2Step.sol";
Updates

Lead Judging Commences

Hamiltonite Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Admin Input/call validation

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.