Single-step process for critical ownership transfer is risky
Summary
The LiquidationPoolManager and SmartVaultManagerV5 use Ownable by OZ which can transfer ownership of the contracts in 1-step. However, single-step process for critical ownership transfer is risky due to possible human error which could result in locking all the functions that use the onlyOwner modifier.
Vulnerability Details
The current Ownable implementation that is used is not safe as the process is 1-step which is risky due to a possible human error. For example, an incorrect address, for which the private key is not known, could be passed accidentally.
Such an error is unrecoverable and leads to critical functions being locked for the protocol.
Impact
Critical functions using the onlyOwner modifier will be locked.
Tools Used
Manual review
Recommendations
Implement the change of ownership in 2 steps:
Approve a new address as a pendingOwner
A transaction from the pendingOwner address claims the pending ownership change.
This mitigates the risk because if an incorrect address is used in step (1) then it can be fixed by re-approving the correct address. Only after a correct address is used in step (1) can step (2) happen and complete the ownership change.
Or you can use Ownable2Step by OZ.
Lead Judging Commences
single-step-ownership
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.