Insecure Admin Transfer Without Safeguards
Summary
The contract lets the admin change ownership to another address without any safety checks or event logs, and also permanently loosing his control over the contract, which can be risky if the admin makes a mistake or gets tricked.
Vulnerability Details
The setAdmin function changes the admin with no confirmation step. If the admin sends the wrong address (like a contract or an invalid one), control could be lost. Also, there's no event to track when there is a change in admin.
Impact
Admin can accidentally lose control of the contract.
No logs to track when or to whom the admin role was changed.
If a bad actor tricks the admin into setting their address, they could take over and withdraw funds from the contract.
Tools Used
Manual Review.
Recommendations
Add an event like: AdminChanged(address oldAdmin, address newAdmin) for tracking change in admins.
Also, Openzeppelin's Access COntrol should be used to manage the administration of the contract so malicious admin can takeover.
Appeal created
Informational
Code suggestions or observations that do not pose a direct security risk.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.