Closed github-actions[bot] closed 1 year ago
ahmedovv
medium
Ownable uses single-step ownership transfer in core, controller-52 and controller-55
Using single-step ownership can be dangerous if current admin's private key is accessed somehow by malicious user.
Admin has access to the followoing functions in core implementation:
function setOracle(address token, IOracle _oracle) external
Admin has access to the followoing functions in controller-52 implementation:
function updateController(address target, IController controller) external function toggleTokenAllowance(address token) external
Admin has access to the followoing functions in controller-55 implementation:
Тhe importance of this functions is big and should be used two-factor ownership transfer
https://github.com/sherlock-audit/2023-01-sentiment/blob/main/oracle/src/utils/Ownable.sol#L21 https://github.com/sherlock-audit/2023-01-sentiment/blob/main/controller-55/src/utils/Ownable.sol#L21 https://github.com/sherlock-audit/2023-01-sentiment/blob/main/controller-52/src/utils/Ownable.sol#L21
Manual Review
Consider using OpenZeppelin's Ownable2Step contract
ahmedovv
medium
Using single-step ownership transfer.
Summary
Ownable uses single-step ownership transfer in core, controller-52 and controller-55
Vulnerability Detail
Using single-step ownership can be dangerous if current admin's private key is accessed somehow by malicious user.
Impact
Admin has access to the followoing functions in core implementation:
Admin has access to the followoing functions in controller-52 implementation:
Admin has access to the followoing functions in controller-55 implementation:
Тhe importance of this functions is big and should be used two-factor ownership transfer
Code Snippet
https://github.com/sherlock-audit/2023-01-sentiment/blob/main/oracle/src/utils/Ownable.sol#L21 https://github.com/sherlock-audit/2023-01-sentiment/blob/main/controller-55/src/utils/Ownable.sol#L21 https://github.com/sherlock-audit/2023-01-sentiment/blob/main/controller-52/src/utils/Ownable.sol#L21
Tool used
Manual Review
Recommendation
Consider using OpenZeppelin's Ownable2Step contract