The SpookySwap contract's changeOwner
function lacks zero address validation when transferring ownership, potentially allowing accidental transfer of ownership to the zero address (0x0), which would permanently lock admin functionality.
The contract implements ownership transfer without proper validation:
While the function uses OpenZeppelin's transferOwnership
, it adds a wrapper that might mislead developers about the importance of address validation. The current implementation allows:
Direct transfer to zero address
No two-step verification process
No event emission at the wrapper level
Example of problematic transfer:
This would result in:
Permanent loss of admin access
Inability to add new treats
Inability to withdraw collected fees
Contract becomes partially frozen
Only owner can trigger the issue
Results in permanent loss of admin functionality
Affects contract maintenance and upgrades
No direct user funds at risk
Manual review
Add zero address validation in the wrapper:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.