Mystery Box

First Flight #25

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Single-Step Ownership Transfer in `changeOwner`.

v1vah0us3

Vulnerability Details

The ownership transfer in the changeOwner function is executed in a single step, which poses a medium-level risk in the case of human error.

function changeOwner(address _newOwner) public {

owner = _newOwner;

}

Ownership transfers are critical, and performing them in a single step increases the risk that (once proper access control is in place) the current trusted owner may mistakenly or accidentally assign ownership to an incorrect or invalid address. In case the ownership is accidentally transferred to an unintended address, it could potentially result in the contract becoming unrecoverable, putting the entire protocol at risk.

Impact

If the ownership is mistakenly transferred to an invalid or unintended address, it would lead to the permanent loss of control over the contract.

Tools Used

Manual review, Visual Studio Code (VSCode)

Recommendations

To mitigate this risk, the ownership transfer process should be modified to use a two-step process that requires confirmation from the new owner. This ensures that the address provided is valid and that the new owner consents to the transfer.

Recommended Two-Step Fix:

Introduce a proposedOwner variable to store the pending owner.
Require the new owner to explicitly accept ownership by calling a confirmOwner function.

+ address public proposedOwner;

+ function proposeNewOwner(address _newOwner) public {

+ require(msg.sender == owner, "Only the current owner can propose a new owner");

+ proposedOwner = _newOwner;

+ }

+ function confirmOwner() public {

+ require(msg.sender == proposedOwner, "Only the proposed owner can confirm ownership");

+ owner = proposedOwner;

+ proposedOwner = address(0);

+ }

- function changeOwner(address _newOwner) public {

- owner = _newOwner;

- }

This two-step process reduces the risk of mistakes by ensuring that the new owner has to explicitly confirm the ownership transfer.

Updates

Appeal created

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!