RebateFi Hook
First Flight #53
Beginner FriendlyDeFi
100 EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

Unsafe Ownership Initialization: Ownable(msg.sender) in Constructor Can Assign Ownership to Wrong

eagerpanda582

Root + Impact

Description

  • The contract sets ownership using:

    constructor() Ownable(msg.sender) {}

    This is unsafe, because msg.sender inside the constructor is simply the account or contract that deploys this contract, which in most real-world deployments is not the intended owner.

Risk

Likelihood:

  • Modern deployments frequently use factories, proxies, Gnosis Safe relayers, or Create2 scripts. In these setups, msg.sender is almost never the intended final owner. This makes incorrect ownership assignment highly likely during deployment.

Impact:

  • Using msg.sender inside the constructor to initialize ownership may assign the contract owner to an unintended address (factory contract, relayer, deployment script, or Create2 deployer).
    This can result in permanent loss of ownership, inability to manage or upgrade the contract, or ownership being assigned to a third party that cannot execute admin actions.

  • In the worst case, this can lead to total loss of control and broken business logic.

Proof of Concept

None

Recommended Mitigation

Replace:

Ownable(msg.sender)

with:

constructor(address _owner) Ownable(_owner) {}
Updates

Lead Judging Commences

chaossr Lead Judge
13 days ago
chaossr Lead Judge 12 days ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!