Use Ownable2Step Instead of Ownable in Referral.sol for Safer Ownership Transfers
Summary
The Referral.sol contract inherits from OwnableUpgradeable, which allows for a single-step ownership transfer. This poses a risk of accidental ownership transfer to a mistyped or invalid address. It is recommended to use Ownable2StepUpgradeable instead, which implements a two-step ownership transfer process, requiring the new owner to explicitly accept the transfer.
Vulnerability Details
The vulnerability lies in the use of OwnableUpgradeable (line 18 of Referral.sol). In Ownable, ownership is transferred immediately when the transferOwnership function is called. If the new owner address is mistyped or invalid, the contract ownership could be permanently lost. Ownable2StepUpgradeable mitigates this risk by requiring the new owner to explicitly accept the transfer, ensuring that ownership is only transferred to a valid address.
Impact
Risk of Accidental Ownership Transfer: If the new owner address is mistyped, the contract ownership could be permanently lost.
Loss of Control: The contract owner could lose control over critical functionality or assets.
Severity: Low (no immediate threat, but a security improvement is recommended).
Tools Used
Manual code review
Recommendations
Replace OwnableUpgradeable with Ownable2StepUpgradeable to implement a safer ownership transfer mechanism. This ensures that ownership cannot be accidentally transferred to an invalid address.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.