Liquid Staking

Summary:

The StakingPool contract, which inherits from StakingRewardsPool , which again inherits from OwnableUpgradeable, uses a single-step ownership transfer mechanism. This approach poses a significant risk as it could lead to permanent loss of ownership if the new owner address is incorrectly specified, potentially bricking critical protocol functionality.

Vulnerability Details:

The current implementation uses OpenZeppelin's OwnableUpgradeable contract, which employs a single-step ownership transfer:

This method immediately transfers ownership to the new address without any confirmation from the recipient. If an incorrect address is provided (e.g., a typo, an address without known private keys, or a contract address that can't handle ownership), the contract's ownership could be permanently lost.

The 5/7 multisig does provide a significant layer of protection, as it requires multiple parties to agree on any ownership transfer. This reduces the likelihood of a mistake, but doesn't eliminate it entirely.

Impact:

• Medium severity due to the potential for permanent loss of admin control.

• All functions with the onlyOwner modifier become inaccessible if ownership is lost.

• Critical protocol functions like addStrategy, removeStrategy, addFee, and updateFee would be frozen/compromised .

Tools Used:

• Manual review

Recommendations:

Implement a two-step ownership transfer process using OpenZeppelin's Ownable2Step contract

By implementing these recommendations, the protocol significantly reduces the risk of permanent ownership loss due to human error or operational mistakes, enhancing the overall security and longevity of the system.

Similar bugs are PashovGroup , TrailOfBits