The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

`setOwner` function allows external calls to change the owner without adequate access control checks.

0xVinylDavyl

Summary

The setOwner function allows external calls to change the owner without adequate access control checks. Although there is an onlyVaultManager modifier, its enforcement is incomplete, creating a vulnerability.

Vulnerability Details

// Vulnerable function
function setOwner(address _newOwner) external onlyVaultManager {
owner = _newOwner;
}

Impact

This vulnerability allows unauthorized users to alter the owner of the SmartVault contract, potentially leading to unauthorized control and manipulation of the contract's functionality.

Tools Used

Manual Code Review

Recommendations

Implement a secure mechanism to update the owner address. One possible approach is to create a separate function with appropriate access control checks. Alternatively, consider utilizing access control libraries like OpenZeppelin's Ownable to manage ownership securely.

// Improved Access Control
function changeOwner(address _newOwner) external onlyOwner {
owner = _newOwner;
}
Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

informational/invalid

0xVinylDavyl Submitter
over 1 year ago
hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

informational/invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.