Open hats-bug-reporter[bot] opened 11 months ago
We use gnosis multi signature for any txn of onlyOwner
function execution, not to have this kind of scenario
but TY
@bunbuntigery This does not seem to be an issue as described by @seongyun-ko
If you search Solodit, there are many instances of this being reported and accepted as an issue. Whether it's from a multisig or single account is not really relevant. As pointed out in the report, the likely hood of this happening is low, but the ramifications are high.
Github username: @jonsey Submission hash (on-chain): 0x857092751a5e08c02cb35af394eae4e3c296dbbfc3cc52e9ae6768a7e510c8e9 Severity: medium
Description: Description\
Treasury
inherits from OpenzeppelinOwnable
which allows the owner torenounceOwnership
of the contract.Attack Scenario\ Calling this
renounceOwnership
will leave the contract without an owner, preventing any further administrative operations. Specificallywithdraw
will not be able to be called, locking any depositied funds in the contract.Risk level\ Likelihood - 1 Impact - 5 Overall: Medium
Attachments
Proof of Concept (PoC) File
Revised Code File (Optional) It is recommended that the owner should not be able to renounce ownership without transfering the ownership first. The functionality can be disabled by adding the following code to the
Treasury
.