XDZIBEC - XO-`acceptOwner()` function can be called by `unauthorized` users

[sherlock-admin]

XDZIBEC

high

XO-acceptOwner() function can be called by unauthorized users

Summary

• The vulnerability is in the acceptOwner() function, it's can be called by unauthorized users. This is because the function does not check to see if the sender of the transaction is the pending owner. This allows an attacker to call the function and take control of the contract.

  Vulnerability Detail

  */
  function acceptOwner() public {
      _beforeAcceptOwner();
  
      if (_sender() != pendingOwner()) revert UOwnableNotPendingOwnerError(_sender());
  
      _updateOwner(pendingOwner());
      updatePendingOwner(address(0));
  }

• There is a vulnerability in the acceptOwner() function, especially in the if (_sender() != pendingOwner()) revert UOwnableNotPendingOwnerError(_sender());, this line of code checks to see if the sender of the transaction is the pending owner. If the sender is not the pending owner, the transaction reverts. so the problem with that line is that it can be bypassed by an attacker. An attacker can create a malicious transaction that calls the acceptOwner() function with the attacker's address as the pending owner. If the transaction is successful, the attacker will become the owner of the contract and could then do anything that the owner can do, such as withdraw funds from the contract or change the contract's code

  Impact

Code Snippet

• https://github.com/sherlock-audit/2023-05-perennial/blob/main/root/contracts/control/unstructured/UOwnable.sol#L46C1-L57C87

  Tool used

Manual Review

Recommendation

• add this require(_sender() == pendingOwner()); this will ensure that the acceptOwner() function can only be called by the pending owner.