`Adminable` uses single-step ownership transfer
Summary
The ownership transfer mechanism of the Adminable contract presents a vulnerability due to its single-step ownership transfer pattern.
Vulnerability Details
Single-Step Ownership Transfer
Issue: The current ownership transfer implementation in
Adminable.solallows for a single-step transfer, where ownership or admin rights are immediately transferred to a new address.Description: If an incorrect address is provided during the ownership transfer, the role may be lost forever. The contract follows the
onlyAdminmodifier pattern, restricting certain critical functions to the contract owner.Affected Methods: All methods marked with the onlyAdmin modifier throughout the protocol, including core functionality, are at risk.
Impact
Likelihood: Low, as it requires an error on the admin's side.
Impact: High, as critical protocol functionality may be permanently compromised.
Tools Used
Manual code review
Recommendations
Implement Two-Step Ownership Transfer:
Switch to a two-step ownership transfer pattern, where ownership transfer enters a "pending" state before the new owner claims their rights. This approach mitigates the risk of permanent ownership loss due to incorrect addresses during transfer. Consider using OpenZeppelin's Ownable2Step contract as a reference for implementation.
Lead Judging Commences
Info/Gas/Invalid as per Docs
https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.