`setDrawManager` lack of two-step role transfer

[code423n4]

Lines of code

https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L299#L306

Vulnerability details

Impact

if transfer the role to a none-exist address , the contract need to re-deploy. It is recommended to have 2 steps

• setting a pending Manager address
• use the pending address to accept the Manager role

Proof of Concept

  function setDrawManager(address _drawManager) external {
    if (drawManager != address(0)) {
      revert DrawManagerAlreadySet();
    }
    drawManager = _drawManager;

    emit DrawManagerSet(_drawManager);
  }

Tools Used

vscode

Recommended Mitigation Steps

It is recommended to implement a two-step role transfer where the role recipient is set and then the recipient has to claim that role to finalise the role transfer

Assessed type

Other

[c4-judge]

Picodes marked the issue as unsatisfactory: Insufficient quality