Summary:

The _update function performs an ownership transfer and then notifies the PerpsEngine contract of the transfer. However, it does not include explicit checks for the validity or control of the to address.

Vulnerability Details:

If the to address is invalid, incorrectly configured, or not controlled by anyone, the function will proceed with updating ownership and notifying the PerpsEngine. This could result in the ownership being transferred to an address that cannot manage or interact with the token, leading to potential loss or inaccessibility of the funds or token.

Impact:

If an address with no control over the private key or incorrect configuration receives ownership, the token or funds associated with that ownership could be effectively lost or inaccessible, which could be detrimental to users.

#Proof of concept / explaination:

• If the to address is incorrect or not controlled by anyone (e.g., an invalid address), the function will still proceed with updating ownership and notifying the PerpsEngine.

• If Alice mistakenly transfers ownership to an address with no private key, that address cannot interact with the contract or manage the token. As a result, Alice’s funds (or token) would be effectively "lost" or inaccessible.

Tools Used:

Manual

Recommendations:

Use check two step verification