This function transfers/renounce the ownership of the contract in a single step. There is no way to reverse a one-step transfer of ownership to an address without an owner. This would not be the case if ownership were transferred through a two-step process in which an owner proposed a transfer and the prospective recipient accepted it.
Proof of Concept
Alice wants to transfer ownership of contract.sol to a new wallet address. Alice executes transferOwnership() function to the wrong address. Not double checking it before, Alice has now set the owner to the wrong address and now this cannot be undone. Alice is locked out of the ability to execute all critical onlyOwner functions.
Tools Used
Manuel Review
Recommended Mitigation Steps
Use a two-step process for ownership transfers/renounce.
Lines of code
https://github.com/code-423n4/2022-06-nested/blob/main/contracts/abstracts/OwnableProxyDelegation.sol#L50-L67
Vulnerability details
Impact
This function transfers/renounce the ownership of the contract in a single step. There is no way to reverse a one-step transfer of ownership to an address without an owner. This would not be the case if ownership were transferred through a two-step process in which an owner proposed a transfer and the prospective recipient accepted it.
Proof of Concept
Alice wants to transfer ownership of
contract.sol
to a new wallet address. Alice executestransferOwnership()
function to the wrong address. Not double checking it before, Alice has now set the owner to the wrong address and now this cannot be undone. Alice is locked out of the ability to execute all criticalonlyOwner
functions.Tools Used
Manuel Review
Recommended Mitigation Steps
Use a two-step process for ownership transfers/renounce.