Rock Paper Scissors
First Flight #38
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Unsafe Admin Transfer with not time-delay

dappscout

Unsafe Admin Transfer Without Two-Step Verification

Summary

The RockPaperScissors contract implements an admin transfer function that immediately transfers control to a new address without any verification that the new address can actually function as an admin, creating a risk of permanently losing admin access.

Vulnerability Details

The setAdmin function performs an immediate transfer of admin rights:

function setAdmin(address _newAdmin) external {
require(msg.sender == adminAddress, "Only admin can set new admin");
require(_newAdmin != address(0), "Admin cannot be zero address");
adminAddress = _newAdmin;
}

While this function does check that the new admin is not the zero address, it has these critical security issues:

  1. The transfer happens in a single transaction with no confirmation

  2. There's no verification that the new address can actually access its private keys

  3. A simple typo in the address could result in permanent loss of admin control

  4. There's no time-delay to allow recovery if the transfer was unintended

Impact

This vulnerability can lead to:

  1. Permanent loss of admin control if the address is mistyped

  2. Inability to withdraw protocol fees

  3. No way to update protocol parameters

  4. Contract becoming effectively immutable if admin access is lost

Tools Used

Manual code review

Recommendations

Implement a two-step ownership transfer pattern that requires the new admin to accept the role

Updates

Appeal created

m3dython Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.