search

sherlock-audit / 2024-02-rio-network-core-protocol-judging

4 stars 4 forks source link

Vancelot - Upgrade `OwnableUpgradeable` to `Ownable2StepUpgradeable` #2

Closed sherlock-admin3 closed 7 months ago

sherlock-admin3 commented 7 months ago

Vancelot

medium

Upgrade OwnableUpgradeable to Ownable2StepUpgradeable

Summary

Vulnerability Detail

The contract RioLRTRewardDistributor inherits from the OwnableUpgradeable contract by OpenZeppelin. In the case of the designated Owner calling the function transferOwnership, they may accidentally transfer the ownership to an uncontrolled EoA or to a contract that may not be able to interact with the ownership at all. That could also be the case if the initial address provided for the owner is an invalid one.

Impact

All of the functions with the onlyOwner modifier won't be accessible.

Code Snippet

https://github.com/sherlock-audit/2024-02-rio-vesting-core-protocol/blob/main/rio-sherlock-audit/contracts/restaking/RioLRTRewardDistributor.sol#L5

Tool used

Manual Review

Recommendation

A better option has been created by OpenZeppelin - Ownable2StepUpgradeable, which provides a two-step verification that can prevent an accidental transfer of the ownership.

nevillehuang commented 7 months ago

Invalid, design suggestion, not a security risk. Admins are trusted to make appropriate ownership transfers