The main contract of Drips protocol DripsHub inherits changeAdmin() function from Managed to update the admin address.
Inside this function the address is simply changed to a new value. If newAdmin parameter is incorrect by a mistake, in that case admin access will be lost, including the possibility to pause/unpause/upgrade the contract.
Changing admin for DripsHub contract should be done in two steps, because this contact is the most critical contract for the Drips protocol.
Lines of code
https://github.com/code-423n4/2023-01-drips/blob/main/src/DripsHub.sol#L53 https://github.com/code-423n4/2023-01-drips/blob/main/src/Managed.sol#L84-L86
Vulnerability details
Impact
The main contract of Drips protocol
DripsHub
inheritschangeAdmin()
function fromManaged
to update the admin address.Inside this function the address is simply changed to a new value. If
newAdmin
parameter is incorrect by a mistake, in that case admin access will be lost, including the possibility to pause/unpause/upgrade the contract.Changing admin for
DripsHub
contract should be done in two steps, because this contact is the most critical contract for the Drips protocol.Proof of Concept
Tools Used
Manual review.
Recommended Mitigation Steps
Use two-step admin changing for
DripsHub
contract.