Lack of Access Control check in K1Validator's transferOwnership Function
Summary
The K1Validator contract contains a severe access control issue in its transferOwnership function. This function allows any address to change the owner of any smart account without authorization, which can lead to unauthorized takeover of smart accounts.
Vulnerability Details
The transferOwnership function in the K1Validator contract lacks proper access control:
This function allows any external caller to set a new owner for any smart account. It does not verify that the caller (msg.sender) is the current owner or has any authority to transfer ownership. As a result, an attacker can call this function and set themselves or any other address as the owner of any smart account in the system.
Impact
Attackers can gain control of any smart account using this validator and if a smart account controls valuable assets, an attacker could steal or manipulate these assets after taking control.
Tools Used
Manual code review
Recommendations
Add a check to ensure only the current owner can transfer ownership:
Lead Judging Commences
finding-K1Validator-access-control-issues
- Transfer of ownerships/uninstallation/installation of modules is gated to the caller, wherein the new owner can only adjust the `smartAccountOwners` storing the current owner based on caller (`msg.sender`) that called the `transferOwnership()` function. This functionalities should - Known issue > A Nexus Smart Account could be locked forever if the owner installs a validator in the wrong way and does remove all other valid validators
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.