setContractOwner does not specifies role that can use it which may be result in to be usedd by any user or a malicious actor.
Impact
The function setContractOwner can be used by any user to set themself or any one owner of the contract. Also, the function does not check for preventing previous owner to be set accidently.
Role should be specified for the function to avoid potential attacks. The recommendation is also made for CEI to be placed in context of checking _newOwner != previousOwner.
SAAJ
medium
Ownership can be transferred to anyone
Summary
Vulnerability Detail
setContractOwner does not specifies role that can use it which may be result in to be usedd by any user or a malicious actor.
Impact
The function setContractOwner can be used by any user to set themself or any one owner of the contract. Also, the function does not check for preventing previous owner to be set accidently.
Code Snippet
https://github.com/sherlock-audit/2023-06-symmetrical/blob/main/symmio-core/contracts/libraries/LibDiamond.sol#L40
Tool used
Manual Review
Recommendation
Role should be specified for the function to avoid potential attacks. The recommendation is also made for CEI to be placed in context of checking _newOwner != previousOwner.