kingyetifinance
commented
2 years ago @LilYeti: Not really an error, the tx has to be approved by a multisig so there are already checks in place to not set it to 0. So acknowledged, but severity 0 probably.
alcueca
Handle
0x1f8b
Vulnerability details
Impact
Because an human error it's possible to set a new invalid owner.
Proof of Concept
In the method
YetiFinanceTreasury.updateTeamWalletit's possible to change the teamWallet, but this team wallet is not checked, it could be address(0) or an invalid address, when you want to change the address of the owner it's better to propose a new owner, and then accept this ownership with the new wallet, like this, you will never have the chance of loose the ownership.Tools Used
Manual review
Recommended Mitigation Steps
Implement an ACK system for change the ownership