Use `Ownable2Step` instead of `Ownable`
Summary
The SmartVaultManagerV5 contract inherits the OZ Ownable contract. Use Ownable2Step instead to follow the best security practices and better safeguard against accidental transfers of access control.
The update function of the protocol address (which is the address that receives all the acquired protocol fees) would also benefit from a 2-step transfer process.
Vulnerability Details
Here we can see the function that updates the protocol address:
There are no checks and no 2-step process is implemented, and as fees are sent to this address as users interact with the system. Passing a wrong address to this function accidentally could result in instantly losing funds.
Impact
The Ownable library does not safeguard against accidentally passing the wrong address to the transferOwnership function. The chance of doing so is very low, but the impact is very high. Ownable2Step adds another step to the transfer process, which requires the new owner to accept the ownership before it is transferred. Use this contract instead to be protected against such a mistake.
Recommendations
Use Ownable2Step instead of Ownable and implement a 2-step process for the setProtocolAddress function.
Lead Judging Commences
single-step-ownership
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.