Dria

Summary

Most of the contracts in Swan inherits ownership functionality from OwnableUpgradeable or Ownable, enabling single-step ownership transfers via transferOwnership. This approach lacks a two-step verification process that would require the proposed new owner to confirm ownership. Such a setup can lead to irrecoverable losses of contract ownership if the function is called with incorrect input, such as an erroneous address, resulting in permanent loss of control over critical contract functionality.

Vulnerability Details

The Swan contract, inheriting from OwnableUpgradeable, enables direct ownership transfer through a single call to transferOwnership. Inadvertent misusage could permanently lock access to essential functions within the Swan ecosystem, including asset listing, asset purchase, and contract upgrades.

Similar to Swan, the SwanManager contract also relies on OwnableUpgradeable. Ownership controls critical functions like setMarketParameters and setOracleParameters, which manage market and oracle settings, respectively. Without a two-step process, an accidental ownership transfer to an incorrect address could render these settings unmanageable.

The BuyerAgent contract inherits from Ownable, allowing single-step ownership transfers. As this contract is responsible for critical asset-buying operations, loss of ownership could lock users out of their funds and disrupt asset management on the platform.

LLMOracleManager contract, like SwanManager, leverages OwnableUpgradeable. It defines oracle configuration parameters such as platformFee, generationFee, and validationFee. Misconfiguration in ownership could disable critical updates, impacting oracle fee handling and potentially affecting the system's reliability.

The LLMOracleRegistry contract uses OwnableUpgradeable and allows a single-step ownership transfer. The registry’s functionality centers around managing oracle registrations, with the owner’s authority needed to set staking requirements. If ownership is inadvertently transferred, the contract could lose its ability to manage and control oracle access.

The LLMOracleCoordinator contract, also inheriting from OwnableUpgradeable, is essential for orchestrating LLM Oracle requests. Critical functions like request and respond rely on owner access for configuration and fee updates. Losing ownership due to a single-step transfer to an incorrect address could hinder coordination efforts.

Impact

Each of these contracts performs critical functions that, if ownership is misassigned or lost, could severely impact the Swan ecosystem’s stability, user access to funds, and ability to handle oracle tasks reliably. Single-step ownership transfers increase the risk of irrevocable ownership loss, which could disrupt operational continuity and compromise system security.

Tools Used

Manual Review

Recommendations

Replace OwnableUpgradeable with Ownable2StepUpgradeable and Ownable with Ownable2Step across all contracts where transferOwnership is used. This approach will introduce a necessary confirmation step, where the proposed new owner must explicitly accept the ownership transfer before it takes effect.