Owner should not be able to renounce ownership #48
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Comments
code423n4
added
2 (Med Risk)
c4-judge
added
the
unsatisfactory
|
gzeon-c4 marked the issue as unsatisfactory: |
|
Hi @gzeon-c4, resignOwnership is a function available to call in the contract, and can lead to loss of NFTs, I don't see why you marked the issue as unsatisfactory. |
|
This is not an issue because it have the same effect as if the owner decided to do nothing. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-12-forgeries/blob/fc271cf20c05ce857d967728edfb368c58881d85/src/ownable/OwnableUpgradeable.sol#L114-L116
Vulnerability details
Impact
The
VRFNFTRandomDrawcontract inherits from theOwnableUpgradablecontract which gives the contract owner the ability to renounce ownership of the contract as seen here https://github.com/code-423n4/2022-12-forgeries/blob/fc271cf20c05ce857d967728edfb368c58881d85/src/ownable/OwnableUpgradeable.sol#L114-L116.The
VRFNFTRandomDrawcontract heavily relies on the owner to perform critical operations including callingstartDraw (),redraw()and alsolastResortTimelockOwnerClaimNFT ()functions. If the ownership of the contract at some point is resigned then these operations would not be possibleProof of Concept
https://github.com/code-423n4/2022-12-forgeries/blob/fc271cf20c05ce857d967728edfb368c58881d85/src/ownable/OwnableUpgradeable.sol#L114-L116
Tools Used
Recommended Mitigation Steps
Consider removing the ability of the owner to renounce ownership via the
resignOwnership ()functionThe text was updated successfully, but these errors were encountered: