renounce_ownership is not renouncing the ownership , instead it transfer the ownership to the pending_owner

[hats-bug-reporter[bot]]

Github username: -- Twitter username: -- Submission hash (on-chain): 0x81879b03c6822fcf1cf71e03c997e927aad2f57e996b3407093a9b4629dc0e4b Severity: low

Description: Description\

The contract implements the ownership function. there are certain functions liketransfer_ownership, accept_ownership and renounce_ownership.

The function renounce_ownership is expected to renounce the ownership. Refer the OZ implementation here.

But, it transfer the ownership to the pending owner.

ownable2step.rs#L98-L112

    pub fn renounce_ownership(
        &mut self,
        caller: AccountId,
        contract_address: AccountId,
    ) -> Ownable2StepResult<()> {
        self.ensure_owner(caller)?;
        let pending_owner = self.get_pending_owner()?;
        if pending_owner != contract_address {
            return Err(Ownable2StepError::ContractNotPendingOwner(pending_owner));
        }
        self.owner = contract_address;
        self.pending_owner = None;

        Ok(())
    }

Impact\

Renouncing ownership to the zero address is a step towards making the contract fully decentralized. Without an owner, no single entity has control over the contract, aligning with the principles of decentralization in blockchain ecosystems. The current implementation will not serve the purpose.

Attachments

2. Revised Code File (Optional)

If the contract wants to remove the ownership, remove it fully instead of hand over to pending owner.

[JanKuczma]

Once the ownership of the contract is transferred to the contract address, this state can be regarded as renounced ownership. In this state, no other account has access to the restricted methods and since the contract is not upgradeable, this state will never change (the contract won't be able to call itself to transfer ownership).