kingyetifinance
commented
2 years ago @LilYeti: Duplicate #115 . Severity there is 1.
Closed code423n4 closed 2 years ago
kingyetifinance
commented
2 years ago @LilYeti: Duplicate #115 . Severity there is 1.
alcueca
commented
2 years ago Duplicate of #251
Handle
Ruhum
Vulnerability details
Impact
Assigning a new address to be in control of a contract should always be done in a two-step process. Otherwise, you might potentially lose access by assigning it to an address for which you don't have the key. By using a two-step process you make sure that everything works as expected.
Using the current owner you assign a new pending owner. Using the pending owner you then claim ownership. The current owner is then overwritten by the pending one and the pending owner address is cleared.
Proof of Concept
https://github.com/code-423n4/2021-12-yetifinance/blob/main/packages/contracts/contracts/YetiFinanceTreasury.sol#L28
Tools Used
none
Recommended Mitigation Steps
Check out the Compound Timelock contract as an example: https://github.com/compound-finance/compound-protocol/blob/master/contracts/Timelock.sol#L45-L58