Missing validation in ```Adminable::transferAdmin``` for ```newAdmin``` leads of inaccessibility of the ```onlyAdmin``` functions
Summary
The Adminable::transferAdmin allows the current admin to transfer their privileges to another address. However, this function does not perform a check to prevent the assignment of the zero address (0x0000000000000000000000000000000000000000) as the new admin. The input of a zero address as newAdmin leads to the the permanent loss of administrative control over the contract.
Vulnerability Details
Impact
If the newAdmin parameter is set to the zero address, the contract will lose its designated admin, rendering any functionality protected by the onlyAdmin modifier inaccessible. The contract's administrative capabilities would be permanently disabled, affecting some operations like SablierV2MerkleLockup::clawback, SablierV2Lockup::setNFTDescriptor).
Impact: Medium - Funds are directly or nearly directly at risk. The unclaimed tokens from the campaigns can't be clawback.
Likelihood: Low. Most of the address that administering the Sablier Protocol them are Safe multi-signature wallets. But not all of them. For example the admin address of the LightLink and Blast network are not. (ref. Sablier documentation here https://docs.sablier.com/concepts/governance).
Tools Used
Manual review.
Recommendations
Add a check for the 0x address for the newAdmin.
Lead Judging Commences
Info/Gas/Invalid as per Docs
https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.