XO-constructor allows caller to transfer ownership to themselves
Summary
The constructor function of the UnitasProxyAdmin contract allows the caller to transfer ownership of the contract to themselves. This probllem can allows an attacker to take control of the contract and steal funds or change the contract's functionality.
Vulnerability Detail
* @title Proxy admin of the protocol
*/
contract UnitasProxyAdmin is ProxyAdmin {
/**
* @notice Initializes the contract with changing owner
* @dev The constructor of `Ownable` will transfer ownership to `msg.sender` first,
* transfers ownership to `owner_` when it is not the same as the caller.
*/
constructor(address owner_) {
if (owner_ != owner()) {
_transferOwnership(owner_);
}
}
}
The vulnerability is in the constructor function of the UnitasProxyAdmin contract, the problem is that the code will only work if the owner_ parameter is not the same as the address of the caller, there is no guarantee that this will be the case. means that it is possible for the caller to pass in their own address as the owner_ parameter. This would cause the constructor function to transfer ownership of the contract to the caller, and the vulnerability is caused by this line if (owner_ != owner()) { , if theowner_ parameter is not equal to the address of the contract, this check does not account for the possibility that the caller could pass in their own address as the owner_ parameter. This means that the check will always pass, even if the caller is trying to transfer ownership of the contract to themselves, this allows an attacker to take control of the contract and steal funds or change the contract's functionality.
Impact
An attacker is able to transfer ownership of the contract to themselves, they could do anything they want with it, including stealing funds or changing the contract's functionality.
XDZIBEC
medium
XO-constructor allows caller to transfer ownership to themselves
Summary
UnitasProxyAdmin
contract allows the caller to transferownership
of the contract to themselves. This probllem can allows an attacker to take control of the contract and steal funds or change the contract's functionality.Vulnerability Detail
constructor
function of theUnitasProxyAdmin
contract, the problem is that the code will only work if theowner_
parameter is not the same as the address of thecaller
, there is no guarantee that this will be the case. means that it is possible for thecaller
to pass in theirown
address as theowner_
parameter. This would cause the constructor function to transferownership
of the contract to the caller, and the vulnerability is caused by this lineif (owner_ != owner()) {
, if theowner_
parameter is not equal to the address of the contract, this check does not account for the possibility that the caller could pass in their own address as theowner_
parameter. This means that the check will always pass, even if the caller is trying to transferownership
of the contract to themselves, this allows an attacker to take control of the contract and steal funds or change the contract's functionality.Impact
ownership
of the contract to themselves, they could do anything they want with it, including stealing funds or changing the contract's functionality.Code Snippet
Tool used
Manual Review
Recommendation
constructor
function should be modified to include a check to prevent the caller from transferringownership
of the contract to themselves.