TempleGold

TempleDAO
Foundry
25,000 USDC
View results
Submission Details
Severity: low
Invalid

Single-step role change introduces risks

Summary

The setDaoExecutor() function in the SpiceAuction.sol contract allows for the direct and immediate transfer of DAO executor ownership. This single-step transfer process introduces the risk of accidentally setting an incorrect address as the DAO executor. Implementing a two-step ownership transfer pattern would enhance security and control over the transition.

Vulnerability Details

The setDaoExecutor() function currently allows for the immediate transfer of the DAO executor role by directly setting the new executor address. This approach can lead to potential security issues if the address is set incorrectly due to human error or other factors. As all main functions of the contract rely on the onlyDAOExecutor modifier for access control, ensuring the correct DAO executor is crucial.

function setDaoExecutor(address _daoExecutor) external onlyDAOExecutor {
if (_daoExecutor == address(0)) { revert CommonEventsAndErrors.InvalidAddress(); }
daoExecutor = _daoExecutor;
emit DaoExecutorSet(_daoExecutor);
}

Impact

An incorrect address being set as the DAO executor can lead to losing control over the contract's critical functions.

Tools Used

Manual review.

Recommendations

Implement a two-step ownership transfer pattern to ensure that the new DAO executor address is set correctly and confirmed by the intended recipient.

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.