Fjord Token Staking

Summary

FjordAuctionFactory.sol, FjordPoints.sol and FjordStaking.sol implements the transfer of ownership to a new owner via the setOwner function, which allows for a direct transfer of ownership in a single step. While this approach is straightforward, it introduces security risks, as a single misstep could lead to an irreversible transfer of control over the contract.

Vulnerability Details

The current setOwner function shown below enables the contract owner to transfer ownership in a single step. This method lacks any confirmation from the new owner, which could lead to potential issues if the new owner address is incorrect or compromised.

• The transfer of ownership occurs immediately after calling the setOwner function, with no opportunity for the new owner to verify or confirm the transfer.

• If the owner mistakenly inputs the wrong address or if the address is compromised, ownership of the contract could be transferred to an unintended or malicious party.

• https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordAuctionFactory.sol#L41-L44

• https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordPoints.sol#L163-L166

• https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordStaking.sol#L347-L350

Impact

Mistakenly transferring ownership to an incorrect or unintended address, effectly losing control of critical contracts.

Tools Used

Manual review.

Recommendations

Consider using OpenZeppelin's Ownable2Step.sol.