The setOwner function does not check if the owner_ parameter is a non-zero address or we are setting the same owner again. Setting the owner to the zero address could result in a loss of contract control.
There is no multi-signature or timelock functionality for the setOwner function, which means that if the owner's private key is compromised, the attacker can immediately take full control of the contract.
bareli
medium
zero address verification.
Summary
The setOwner function does not check if the owner_ parameter is a non-zero address or we are setting the same owner again. Setting the owner to the zero address could result in a loss of contract control.
There is no multi-signature or timelock functionality for the setOwner function, which means that if the owner's private key is compromised, the attacker can immediately take full control of the contract.
Vulnerability Detail
function setOwner(address owner) external auth { owner = owner; emit LogSetOwner(owner); }
Impact
setting the owner to the zero address could result in a loss of contract control.
Code Snippet
https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/lib/DSAuth.sol#L16
Tool used
Manual Review
Recommendation
There should be multi-signature or timelock functionality for the setOwner function.