Vyper Vested Claims

First Flight #34
Beginner FriendlyDeFi
100 EXP
View results
Submission Details
Severity: low
Invalid

[L-1] Lacking of ownership transfer feature can lead to scalability issues

Summary

Ownership is only set once during deployment of the contract and cannot be changed afterwards.

Vulnerability Details

Owner is trusted so this issue could be low or just informational. But VestedAirdrop::rescue_tokens and VestedAirdrop::set_merkle_root are dependent on the owner. As the protocol will evolve, this might be a problem in the future if different roles are assigned to different addresses, or the current owner changes for the protocol.

Impact

If the owner is changed after deployment in the protocol, then this contract will not work as expected and we would need to deploy a new contract with the new owner.

Recommendations

Add the trusted snekmate dependency and use the ownable library to allow features like ownership transferability or checking the owner.

mox install snekmate

Import the ownable snekmate library:

from snekmate.auth import ownable
initializes: ownable

It should add the following functions to the contract:

@internal
# replacing the custom def onlyOwner():
def _check_owner():
...
def _transfer_ownership(new_owner: address):
...

Then export this specific external function:

exports: (
ownable.transfer_ownership
# other if needed
)

And invoke init inside the constructor:

def __init__():
ownable.__init__()
Updates

Appeal created

bube Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.