evgenykuzyakov
commented
4 years ago Temporary Solution is Prevent deletion of the signing key.
Long term solution is remove public keys and use master account: https://github.com/near/initial-contracts/issues/31
Estimate 1.
ilblackdragon
Impact: High Likelihood: Low Reported by a third-party.
Description In the lockup contract, main public keys are used by the owner to operate certain owner functions such as adding and removing other keys and transferring funds.
The current owner is able to remove all keys including their own key, leaving the contract with no remaining main keys. This would effectively lock any remaining balance in the contract.
An accidental case where this occurs would be when a user sends two transactions, one to add a new key and the other to remove the existing key. If these two transactions are executed in the wrong order (i.e. the deletion first). The contract will be locked.
Recommendations To add a level of protection to accidental deletion it is recommended to either: • Prevent deletion of the signing key; • Ensure there is at least one main key in the list of keys