Flow
Sablier
FoundryDeFi
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Admin identity is not checked

bydlife

Summary

Admin has high authority in the entire project. The power and role of this identity are very large, and the contract cannot be upgraded. It is necessary to strictly check whether the Admin's address is legal.

Vulnerability Details

In the Adminable.sol::transferAdmin() function, the parameter newAdmin is not checked, but the value of admin is directly updated and replaced, which poses a security risk.

function transferAdmin(address newAdmin) public virtual override onlyAdmin {
// @audit => It is necessary to check whether the `newAdmin` address is legal.
// Effect: update the admin.
admin = newAdmin;
// Log the transfer of the admin.
emit IAdminable.TransferAdmin({ oldAdmin: msg.sender, newAdmin: newAdmin });
}

Impact

The bad impact of this will be the loss of the admin identity and the inability to call all functions with the onAdmin() modifier, which will cause the project to lose autonomy.

Tools Used

Manual analysis.

Recommendations

It is best to refer to the logic of Openzeppenlin:Ownable2Step.sol and perform secondary verification when transferring admin permissions.

Link:openzeppelin-contracts/contracts/access/Ownable2Step.sol at master · OpenZeppelin/openzeppelin-contracts

Updates

Lead Judging Commences

inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.