Description:Description\
Governor_v1 implements a function called acceptOwnership. The function calls Ownable2Step.acceptOwnership on the adr to accept the ownership of the contract and become the new owner.
function acceptOwnership(address adr)
external
onlyCommunityOrTeamMultisig
{
if (adr.code.length == 0) {
revert Governor__CallToTargetContractFailed();
}
(bool success,) =
adr.call(abi.encodeCall(Ownable2Step.acceptOwnership, ()));
// if the call is not a success
if (!success) {
revert Governor__CallToTargetContractFailed();
}
emit OwnershipAccepted(adr);
}
One contract that the Governor_v1 is built aroun to be the owner is FeeManager_v1. Governor_v1 has multiple functions that control the fees and the treasuries of the FeeManager_v1.
The issue here is that, after Governor_v1 accepts ownership, he can't transfer it to another address as the contract doesn't implement a function that calls Ownable2Step.transferOwnershipon a specified address.
If the protocol wants to change ownership to an EOA for example, they have to deploy a new fee manager with the new owner.
Attack Scenario\
Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)
Add a function that calls Ownable2Step.transferOwnership on a target address.
For now we didnt intend to switch the ownership over contracts from the governor side.
The acceptance of ownership was in case we would have to bring in another beacon contract
Github username: -- Twitter username: @EgisSec Submission hash (on-chain): 0x02e7a6dc883d4ca52bbc0eaa0f6a7929cb18cb3592218668abcbd5d48ec41e42 Severity: medium
Description: Description\
Governor_v1
implements a function calledacceptOwnership
. The function callsOwnable2Step.acceptOwnership
on theadr
to accept the ownership of the contract and become the new owner.One contract that the
Governor_v1
is built aroun to be the owner isFeeManager_v1
.Governor_v1
has multiple functions that control the fees and the treasuries of theFeeManager_v1
.The issue here is that, after
Governor_v1
accepts ownership, he can't transfer it to another address as the contract doesn't implement a function that callsOwnable2Step.transferOwnership
on a specified address.If the protocol wants to change ownership to an EOA for example, they have to deploy a new fee manager with the new owner.
Attack Scenario\
Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)
Add a function that calls
Ownable2Step.transferOwnership
on a target address.