The Adminable
contract allows the current admin to transfer admin control to a new address through the transferAdmin
function. This function is protected by the onlyAdmin
modifier, restricting access to the current admin. However, if the admin's private key is compromised, an attacker could transfer admin control to themselves, leading to unauthorized access and potential exploitation of the protocol.
Affected Function: transferAdmin(address newAdmin)
Access Control: Restricted to the current admin.
Risk: If an unauthorized party gains access to the admin's private key, they could execute this function and gain control over the entire protocol.
The vulnerability could lead to unauthorized control over the protocol, allowing an attacker to manipulate functionalities, steal funds, or disrupt service availability.
Manual Testing
The transferAdmin
function incorporating a two-step transfer process. It adds a pendingAdmin variable, requiring the proposed admin to confirm the transfer by calling acceptAdmin.
Explanation:
The ransferAdmin
function now only sets a pendingAdmin, allowing the proposed address to confirm by calling acceptAdmin
.
The acceptAdmin
function ensures that only the pendingAdmin can finalize the transfer.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.