location : /src/abstracts/Adminable.sol
The transferAdmin
function allows the current admin to transfer administrative privileges to a new admin address. However, the function does not check whether the newAdmin
address provided is the zero address (address(0)
).
Relevant code :
Issue:
Setting Admin to Zero Address: If the admin mistakenly or maliciously sets the newAdmin
to the zero address, the admin
variable will be updated to address(0)
.
Loss of Administrative Access: Since the onlyAdmin
modifier restricts access to functions by checking if (admin != msg.sender)
, and no account can have the address(0)
, all functions protected by onlyAdmin
will become permanently inaccessible.
Irreversible Action: Once the admin is set to the zero address, there is no mechanism within the contract to recover administrative control.
Denial of Service: Critical administrative functions become permanently unusable, hindering contract maintenance, upgrades, or emergency interventions.
Loss of Control: The inability to perform essential admin functions can lead to the contract being locked in an undesirable state.
Security Risks: In the absence of administrative control, vulnerabilities discovered later cannot be patched, and contract parameters cannot be adjusted in response to changing conditions.
Add Validation to Prevent Setting Admin to Zero Address:
Modify the transferAdmin
function to include a check that ensures the newAdmin
address is not the zero address.
Require Statement: The require
function checks that newAdmin
is not address(0)
. If newAdmin
is the zero address, the transaction reverts with a descriptive error message.
Preventing Loss of Access: By ensuring that the admin cannot be set to the zero address, the contract maintains administrative control, allowing ongoing management and upgrade capabilities.
Constructor Initialization: Ensure that the admin
variable is properly initialized in the constructor of any contract that inherits from Adminable
. Failing to set the admin
address upon deployment can also result in the admin
being the zero address.
For example:
The TransferAdmin
event already logs the change, which aids in transparency and off-chain monitoring. Ensure that all relevant events are properly emitted.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.