The factory validates that the pool creator is the current owner of the agreement at pool initialization, establishing a mapping between the agreement and the deployed pool.
The admin ownership of the deployed pool (Ownable2Step) is set once to the creator and is completely decoupled from the agreement's owner. If the agreement is sold or transferred to a new owner, the pool's admin keys do not follow, leaving the original seller in control of the pool's parameters.
Likelihood:
Agreements change owners via sales, updates, or governance operations.
Buyers assume administrative control of the pool automatically updates.
Original creators retain pool-admin rights to pause paths or redirect recovery sweeps.
Impact:
Agreement buyers have no control over the pool's parameters.
Original pool creators can redirect CORRUPTED sweeps to their private wallets after agreement sale.
The test file DeepDiveEdgeCases.t.sol contains testPoolOwnerRetainedAfterAgreementOwnerChanges demonstrating this desync.
The PoC shows that after alice stakes 100 tokens, the seller (pool creator) holds the pool's owner key. When the agreement's owner is updated to buyer, the pool's owner() still returns seller. The seller then successfully calls setRecoveryAddress — a sensitive admin action that the buyer reasonably expects to control — proving the ownership desync is immediately exploitable.
How to Run
Run the test from the workspace directory using the following Foundry command:
Update administrative functions to directly query the dynamic agreement owner instead of checking static pool ownership.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.