First Flight #12: Kitty Connect
First Flight #12: Kitty Connect
Beginner FriendlyFoundryNFTGameFi
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

KittyConnect owner cannot transfer the ownership of the contract

0xeLSeR17

Summary

Ownership of KittyConnect contract must be transferable, but it is not.

Vulnerability Details

The README file tells the following: '3. KittyConnect Owner - Owner of the contract who can transfer the ownership of the contract to another address.'

However, the ownership cannot be transferred. The address that represents the owner of KittyConnect is i_kittyConnectOwner, but it is declared as an immutable variable.

address private immutable i_kittyConnectOwner;

This means that it can only be set when declared or in the constructor, not allowing to have its value modified after.

Impact

It does not fit the intended operation mode of the protocol, as docs clearly confirm the onwership of the contract must be transferable. i_kittyConnectOwner is the only address that can add shops to the contract by calling the addShop() function.

Tools Used

Manual review

Recommendations

KittyConnect::i_kittyConnectOwner must not be declared as immutable and there must be a function which allows to transfer ownership:

- address private immutable i_kittyConnectOwner;
+ address private i_kittyConnectOwner;

.
.
.

function transferOwnership(address newOwner) external onlyKittyConnectOwner{
require(newOwner != address(0), "Not valid address");
i_kittyConnectOwner = newOwner;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Owner can't transfer ownership as Contest Details say.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.