Single-step ownership transfer can be dangerous
Summary
Ownable implements a simplified process for transferring ownership in a single step.
Vulnerability Details
Single-step ownership transfer means that if a wrong address was passed when transferring ownership or admin rights it can mean that role is lost forever. If the admin permissions are given to the wrong address within this function, it will cause irreparable damage to the contract.
Below is the official documentation explanation from OpenZeppelin:
https://docs.openzeppelin.com/contracts/4.x/api/access
Ownable is a simpler mechanism with a single owner "role" that can be assigned to a single account. This simpler mechanism can be useful for quick tests but projects with production concerns are likely to outgrow it.
The Messaging contract inherits from the Ownable contract, where the ownership transfer is a single-step process, posing the aforementioned risk.
The collection_transfer_ownership() function in the bridge.cairo contract also has the same issue.
Impact
Ownership (administrative privilege) can be lost to an uncontrolled account if the current owner provides an invalid address for the new owner.
Tools Used
Recommendations
It is recommended to use the Ownable2Step contract from OZ (https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/access/Ownable2Step.sol) instead.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.