sherlock-admin
commented
7 months ago 2 comment(s) were left on this issue during the judging contest.
tsvetanovv commented:
Invalid. Admin mistake
0xAadi commented:
Invalid: Admin/Owner is Trusted
Closed sherlock-admin closed 7 months ago
sherlock-admin
commented
7 months ago 2 comment(s) were left on this issue during the judging contest.
tsvetanovv commented:
Invalid. Admin mistake
0xAadi commented:
Invalid: Admin/Owner is Trusted
bareli
medium
zero address verification.
Summary
The setOwner function does not check if the owner_ parameter is a non-zero address or we are setting the same owner again. Setting the owner to the zero address could result in a loss of contract control.
There is no multi-signature or timelock functionality for the setOwner function, which means that if the owner's private key is compromised, the attacker can immediately take full control of the contract.
Vulnerability Detail
function setOwner(address owner) external auth { owner = owner; emit LogSetOwner(owner); }
Impact
setting the owner to the zero address could result in a loss of contract control.
Code Snippet
https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/lib/DSAuth.sol#L16
Tool used
Manual Review
Recommendation
There should be multi-signature or timelock functionality for the setOwner function.