Setting wrong publisher cannot be undone

[code423n4]

Handle

cmichel

Vulnerability details

The Basket.changePublisher function is used for both setting a new pending publisher as well as accepting the publisher transfer from the pending publisher.

Impact

Once a pending publisher has been set, no other publisher can be set and if the pending publisher does not accept it, the contract is locked out of setting any other publishers. Setting a wrong publisher can naturally occur.

Recommended Mitigation Steps

Add an option to set a new pending publisher even if there already is a pending publisher.

[GalloDaSballo]

In line with zero address check validation, given the fact that:

• the sponsor confirmed
• the function tries to use a 2 step setup with timellock

the lack of 2 step to claim an address can be viewed as a feature that is missing / should be added

Will set all similar issues to a low severity