Admin role lockout #35
Labels
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
valid
Lines of code
https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFi.sol#L157-L167
Vulnerability details
Impact
The
replaceAdmin()
function inHomeFi.sol
updates admin role address in one-step. If an incorrect address is mistakenly used then future administrative access or even recovering from this mistake is prevented because allonlyAdmin
modifier functions require_msg.sender
to be the incorrectly used admin address (for which private keys may not be available to sign transactions). In such a case, contracts would have to be redeployed.Proof of Concept
https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFi.sol#L157-L167
Recommended Mitigation Steps
Suggest using a two-step process where the new admin address first claims ownership in one transaction and a second transaction from the new admin address takes ownership.
The text was updated successfully, but these errors were encountered: