Closed sherlock-admin2 closed 9 months ago
Invalid, admins are trusted entities to not simply renounce contracts. See point 5. of sherlock rules
1 comment(s) were left on this issue during the judging contest.
pratraut commented:
'invalid due to owner being TRUSTED entity'
0x_Scar
medium
Owner should not renounce itself
Summary
The
VestingEscrowFactory
contract depends on theowner
to for many things, includingupdatingValidator
,changeManager
etc. More importantly, recovered funds are transferred to theowner
address as seen here:Therefore, it is imperative that the owner address at no point is reset to 0 or renounced.
Now, the
VestingEscrowFactory
contract inherits fromOwnable2Step
contract as seen here: https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/main/rio-vesting-escrow/src/VestingEscrowFactory.sol#L13 which allows the owner to renounce itself. I have provided the below PoC showing theowner
renouncing ownership and setting it toaddress(0)
.With the vitality of the
owner()
address, it is a huge security risk that can lead to loss of funds if it is renounced.Vulnerability Detail
As seen in this PoC code that can be added to the
VestingEscrowFactory
contractIt is possible to renounce ownership.
Impact
Funds recovery would be impossible leading to Permanently stuck funds
Code Snippet
Tool used
Manual Review
Recommendation
Consider overriding the
Ownable2Step
renounce function and make the call revert.