Closed code423n4 closed 3 years ago
shw
The transferOwnership function of Liquidation does not check the provided parameter, newOwner, is non-zero. However, the same function in TracerPerpetualSwaps does. The contract could lose the owner if the parameter is provided as zero accidentally.
transferOwnership
Liquidation
newOwner
TracerPerpetualSwaps
Referenced code: Liquidation.sol#L445-L447
Add a require(newOwner != address(0), "...") check after line 445.
require(newOwner != address(0), "...")
Resolved in https://github.com/tracer-protocol/perpetual-contracts/pull/172
closing to reflect findings from judges sheet as duplicate of #49
OsmanBran
commented
3 years ago 
loudoguno
Handle
shw
Vulnerability details
Impact
The
transferOwnershipfunction ofLiquidationdoes not check the provided parameter,newOwner, is non-zero. However, the same function inTracerPerpetualSwapsdoes. The contract could lose the owner if the parameter is provided as zero accidentally.Proof of Concept
Referenced code: Liquidation.sol#L445-L447
Recommended Mitigation Steps
Add a
require(newOwner != address(0), "...")check after line 445.