ArkProject: NFT Bridge

Summary

The current implementation of the OwnableTwoStep in bridge.cairo and erc721_bridgeable allows a pending owner to accept ownership even after the original owner has renounced ownership. This issue arises because the Ownable_pending_owner state variable is not cleared when ownership is renounced, enabling the pending owner to claim ownership after the original owner believes the contract has been relinquished. The issue is also present in OZ Cairo contracts v0.11.0 implementation which is used by ArkProject.

Impact

This vulnerability can lead to unauthorized ownership transfer, undermining the original owner's intent to leave the contract without an owner. It introduces a security risk where an unintended party (pending owner) can gain control of the contract after the original owner has renounced ownership, potentially leading to misuse or exploitation of the contract.

Proof of Concept

1. The current owner calls transfer_ownership, setting Ownable_pending_owner to Bob.

2. Bob does not immediately accept ownership, leaving Ownable_pending_owner active.

3. The current owner calls renounce_ownership, believing they have relinquished control, setting the owner to the zero address.

4. Bob, as the pending owner, calls accept_ownership after the renouncement.

5. Bob becomes the new owner of the contract, despite the original owner's intent to leave the contract without an owner.

Recommendation

To address this issue, I think you need to override the OZ renounce_ownership to ensure that Ownable_pending_owner is cleared (set to zero address) whenever renounce_ownership is called. This would prevent any pending owner from accepting ownership after the original owner has renounced it.

Also, please note that the issue has been confirmed by the sponsor in a private thread and will be reported to OpenZeppelin also after the contest ends.