ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Lack of two-step ownership transfer process

sabit

Summary

Lack of two-step ownership transfer process.

Vulnerability Details

The current implementation of the collection_transfer_ownership function allows for an immediate transfer of ownership without requiring confirmation from the new owner. This single-step process increases the risk of transferring ownership to an invalid or unintended address.

fn collection_transfer_ownership(ref self: ContractState, collection: ContractAddress, new_owner: ContractAddress) {
ensure_is_admin(@self);
IOwnableDispatcher { contract_address: collection }
.transfer_ownership(new_owner);
}

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/starknet/src/bridge.cairo#L376C8-L380C10

The current implementation transfers ownership directly to the new_owner address without any confirmation step.

Impact

Ownership could be transferred to an unintended address.

Tools Used

Manual review

Recommendations

Implement a two-step ownership transfer process.

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.