Flow

Sablier
FoundryDeFi
20,000 USDC
View results
Submission Details
Severity: medium
Invalid

Admin Control Vulnerability

Contract: Adminable.sol

Description: The transferAdmin function allows the current admin to transfer admin rights to any address, including potentially malicious ones.

  • Code Reference:

    function transferAdmin(address newAdmin) public virtual override onlyAdmin {
    admin = newAdmin;
    emit IAdminable.TransferAdmin({ oldAdmin: msg.sender, newAdmin: newAdmin });
    }

Impact:

  • If an attacker can control the admin address, they can execute any function that is restricted to the admin, leading to unauthorized access and potential manipulation of the contract state.

  • A malicious new admin can drain funds, change critical parameters, or block legitimate users.

  • Recommendations:

    • Implement a check to ensure the newAdmin address is not a zero address:

require(newAdmin != address(0), "New admin address cannot be zero");

Consider adding a time-lock mechanism for admin transfers to provide time for users to react to unexpected changes.

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality
inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.