Single step process for critical ownership transfer is risky
Summary
Single-step process for critical ownership transfer is risky due to possible human error which could result in locking all the functions that use the onlyOwner modifier.
Vulnerability Details
The custom contract OwnableUpgradeable.sol is inherited by SmartVaultManagerV5.sol which gives ownable functionality.
However, its implementation is not safe currently as the process is 1-step which is risky due to a possible human error and such an error is unrecoverable. For example, an incorrect address, for which the private key is not known, could be passed accidentally.
Impact
Critical functions using the onlyOwner modifier will be locked - setLenderFee(), setBorrowerFee(), setFeeReceiver().
Tools Used
Manual review
Recommendations
Implement the change of ownership in 2 steps:
Approve a new address as a pendingOwner.
A transaction from the pendingOwner address claims the pending ownership change.
This mitigates the risk because if an incorrect address is used in step (1) then it can be fixed by re-approving the correct address. Only after a correct address is used in step (1) can step (2) happen and complete the ownership change.
Lead Judging Commences
single-step-ownership
informational/invalid
single-step-ownership
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.