Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

if contract `Rescuable` is renounced of ownership, anyone can call `Rescuable::initializeOwnership` to change owner

PatrickWorks

Summary

The Rescuable contract that is inherited from by many contracts like CapitalPool and TokenManager, contains a function Rescuable::initializeOwnership that can initialize a new owner whenever the contract has no owner.

Vulnerability Details

Steps to reproduce:

  1. Owner of contract decides to call Ownable::renounceOwnership at one point.

  2. Now anyone can call Rescuable::initializeOwnership to set themselves as owner of the contract

Put this in PreMarkets.t.sol Foundry test suite:

function test_ownership() public {
vm.startPrank(address(0x1337));
Rescuable res = new Rescuable();
assertEq(res.owner(), address(0x1337));
res.renounceOwnership();
assertEq(res.owner(), address(0x0));
vm.stopPrank();
vm.prank(address(0x5));
res.initializeOwnership(address(0x5));
assertEq(res.owner(), address(0x5));
}

Impact

If the developers one day decide to call Ownable::renounceOwnership to give up ownership of the contract... The contract can be taken over by anyone by calling Rescuable::initializeOwnership.

Even if the "real" owner calls Rescuable::initializeOwnership after renouncing ownership of the contract, the transaction can be frontrunned.

Tools Used

Code inspection

Recommendations

Remove the function Rescuable::initializeOwnership since it provides no benefit, since the owner is already set on deployment. Function cannot be called anyway unless the contract gets its ownership removed.

Updates

Lead Judging Commences

0xnevi Lead Judge
about 1 year ago
0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.