Trick or Treat

First Flight #27
Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: low
Invalid

`changeOwner` function lacks zero address validation

Summary

The SpookySwap contract's changeOwner function lacks zero address validation when transferring ownership, potentially allowing accidental transfer of ownership to the zero address (0x0), which would permanently lock admin functionality.

Vulnerability Details

The contract implements ownership transfer without proper validation:

function changeOwner(address _newOwner) public onlyOwner {
transferOwnership(_newOwner);
}

While the function uses OpenZeppelin's transferOwnership, it adds a wrapper that might mislead developers about the importance of address validation. The current implementation allows:

  1. Direct transfer to zero address

  2. No two-step verification process

  3. No event emission at the wrapper level

Example of problematic transfer:

// Can be called with zero address
spookySwap.changeOwner(address(0));

This would result in:

  • Permanent loss of admin access

  • Inability to add new treats

  • Inability to withdraw collected fees

  • Contract becomes partially frozen

Impact

  • Only owner can trigger the issue

  • Results in permanent loss of admin functionality

  • Affects contract maintenance and upgrades

  • No direct user funds at risk

Tools Used

  • Manual review

Recommendations

  1. Add zero address validation in the wrapper:

function changeOwner(address _newOwner) public onlyOwner {
require(_newOwner != address(0), "New owner cannot be zero address");
transferOwnership(_newOwner);
}
Updates

Appeal created

bube Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.