Submission Details
Impact:
Likelihood:
Owner Centralization and Lack of Ownership Transfer Mechanism
Root + Impact
Description
Normally, the owner manages the contract, registers users, and manages funds. However, the owner address is fixed and there is no mechanism to transfer or change ownership. This creates a risk where if the owner loses access or acts maliciously, contract management can become locked or uncontrollable.
// Owner checks exist in all functions but no owner change function
assert!(signer::address_of(owner) == state.owner, E_NOT_OWNER); @>
Risk
Likelihood:
-
Reason 1 // Describe WHEN this will occur (avoid using "if" statements)
-
No ability to update owner after project/team changes.
Impact:
-
Risk of owner address being lost or compromised.
-
No ability to update owner after project/team changes.
Proof of Concept
Owner address cannot be changed, so if new admin is needed, operations halt.
Recommended Mitigation
+ // Add a secure "change_owner" entry function
+ public entry fun change_owner(current_owner: &signer, new_owner: address) acquires State {
+ let state = borrow_global_mut<State>(get_resource_address());
+ assert!(signer::address_of(current_owner) == state.owner, E_NOT_OWNER);
+ state.owner = new_owner;
+ }
Rewards breakdown
nSLOC
125This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.