Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Immutable Owner Without Transfer Capability in WToken Contract

0xvd

Summary

The WToken contract implements an ownership mechanism where the owner address is set during contract deployment and cannot be changed afterward.

This immutability creates a significant risk as there's no mechanism to transfer ownership or update the owner address in case of compromise or contract upgrades.

Vulnerability Details

In the WToken contract, the owner address is stored in a private variable that is set only once during contract initialization:

address private _owner; // address(this)
constructor(string memory symbol_, uint8 decimals_, address owner_) ERC20(symbol_, symbol_) {
_owner = owner_;
_decimals = decimals_;
}

The owner address is used to restrict critical functions through the onlyOwner modifier:

modifier onlyOwner() {
require(_owner == msg.sender, "WToken: caller is not owner");
_;
}

However, once set, there is no functionality to update this address.

This creates a single point of failure as the ownership cannot be transferred to a new address if needed.

Impact

If the owner contract needs to be upgraded, the WToken must be redeployed as ownership cannot be transferred to the new contract

If the owner's private key is compromised, there's no way to transfer ownership to a secure address

Tools Used

Recommendations

Implement OpenZeppelin's Ownable2Step pattern for secure ownership transfers

Updates

Lead Judging Commences

bube Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.