Owner should not be able to renounce ownership #48
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-forgeries/blob/fc271cf20c05ce857d967728edfb368c58881d85/src/ownable/OwnableUpgradeable.sol#L114-L116
Vulnerability details
Impact
The
VRFNFTRandomDraw
contract inherits from theOwnableUpgradable
contract which gives the contract owner the ability to renounce ownership of the contract as seen here https://github.com/code-423n4/2022-12-forgeries/blob/fc271cf20c05ce857d967728edfb368c58881d85/src/ownable/OwnableUpgradeable.sol#L114-L116.The
VRFNFTRandomDraw
contract heavily relies on the owner to perform critical operations including callingstartDraw ()
,redraw()
and alsolastResortTimelockOwnerClaimNFT ()
functions. If the ownership of the contract at some point is resigned then these operations would not be possibleProof of Concept
https://github.com/code-423n4/2022-12-forgeries/blob/fc271cf20c05ce857d967728edfb368c58881d85/src/ownable/OwnableUpgradeable.sol#L114-L116
Tools Used
Recommended Mitigation Steps
Consider removing the ability of the owner to renounce ownership via the
resignOwnership ()
functionThe text was updated successfully, but these errors were encountered: