Insufficient check for validator Ownership transfer
Summary
The K1Validator contract is designed to manage ownership and validate user operations. It includes a function, transferOwnership, which allows the transfer of ownership to a new address. However, the current implementation lacks checks to ensure that the new owner is not an existing validator or an uninstalled validator. This report analyzes the potential impact of this oversight and provides recommendations to mitigate associated risks.
Vulnerability Details
With the current implementation, llowing transfer of ownership to an existing validator can lead to conflicts of interest, where a single entity controls multiple validators. This can compromise the integrity of the validation process in case of system compromise. Also, an uninstalled validator might have been removed for security reasons. Reassigning ownership to such an address could reintroduce vulnerabilities.
Impact
In a situation where a single entity holds multiple verification ownership, it means the system will fail to reach the quota of ownership needed as a single account might be holding more than one or more ownership.
Also, in a situation where a verificator was removed for security reasons or compromise, without the check, a new ownership can mistakely be one of such entity.
Tools Used
Manual analysis
Recommendations
Implement logic to check against lists or mappings of existing and uninstalled validators before transferring ownership.
Reject any ownership transfer that assigns the new owner to an existing or uninstalled validator.
function transferOwnership(address newOwner) external {
require(newOwner != address(0), ZeroAddressNotAllowed());
require(!_isContract(newOwner), NewOwnerIsContract());
require(!_isExistingValidator(newOwner), "New owner is an existing validator");
require(!_isUninstalledValidator(newOwner), "New owner is an uninstalled validator");
smartAccountOwners[msg.sender] = newOwner;
}
// Function to check if the address is an existing validator
function _isExistingValidator(address newOwner) private view returns (bool) {
return existingValidators[newOwner];
}
// Function to check if the address is an uninstalled validator
function _isUninstalledValidator(address newOwner) private view returns (bool) {
return uninstalledValidators[newOwner];
}
Lead Judging Commences
finding-K1Validator-access-control-issues
- Transfer of ownerships/uninstallation/installation of modules is gated to the caller, wherein the new owner can only adjust the `smartAccountOwners` storing the current owner based on caller (`msg.sender`) that called the `transferOwnership()` function. This functionalities should - Known issue > A Nexus Smart Account could be locked forever if the owner installs a validator in the wrong way and does remove all other valid validators
Appeal created
finding-K1Validator-access-control-issues
- Transfer of ownerships/uninstallation/installation of modules is gated to the caller, wherein the new owner can only adjust the `smartAccountOwners` storing the current owner based on caller (`msg.sender`) that called the `transferOwnership()` function. This functionalities should - Known issue > A Nexus Smart Account could be locked forever if the owner installs a validator in the wrong way and does remove all other valid validators
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.