MorpheusAI

Foundry

22,500 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of 2 step Ownership change can lead to loss of ownership

kaysoft

Summary

Lack of 2 step ownership could cause the ownership to be lost during ownership transfer

Vulnerability Details

The Ownable2step allows ownership confirmation by the pending owner. It allows a two step ownership transfer that prevents ownership from being lost if the new owner has not confirmed it.

File: MOR.sol

contract MOR is IMOR, ERC20Capped, ERC20Burnable, Ownable {

Ownable2step adds extra steps of security because losing ownership ownership to the wrong address is critical to the system because there a lot of onlyOwner function like the mint function on MOR token.

File: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/access/Ownable2Step.sol

/**

* @dev Starts the ownership transfer of the contract to a new account. Replaces the pending transfer if there is one.

* Can only be called by the current owner.

function transferOwnership(address newOwner) public virtual override onlyOwner {

_pendingOwner = newOwner;

emit OwnershipTransferStarted(owner(), newOwner);

}

/**

* @dev Transfers ownership of the contract to a new account (`newOwner`) and deletes any pending owner.

* Internal function without access restriction.

function _transferOwnership(address newOwner) internal virtual override {

delete _pendingOwner;

super._transferOwnership(newOwner);

}

/**

* @dev The new owner accepts the ownership transfer.

function acceptOwnership() public virtual {

address sender = _msgSender();

if (pendingOwner() != sender) {

revert OwnableUnauthorizedAccount(sender);

}

_transferOwnership(sender);

}

Impact

Contract ownership can not be accidentally transferred to mistyped address.

Tools Used

Manual Review

Recommendations

Consider using Openzeppelin's Ownable2step contract on the MOR.sol token and Ownable2stepUpgradeable contract for other upgradeable contracts.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

22,500 USDC

nSLOC

1,054

21 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.