Early Umber Quail
Medium
MorphoLeverageModule Uses Ownable Instead of Ownable2Step
The MorphoLeverageModule contract inherits from OpenZeppelin's Ownable contract instead of Ownable2Step, potentially allowing for accidental or malicious immediate transfer of ownership without the safety of a two-step process.
import { Ownable } from "@openzeppelin/contracts/access/Ownable.sol";
contract MorphoLeverageModule is ModuleBase, ReentrancyGuard, Ownable, IModuleIssuanceHook {
// ... (contract implementation)
}
- The contract is deployed and ownership is set.
- The contract includes functions that are restricted to the owner.
- The current owner has the ability to transfer ownership directly to a new address.
While not directly exploitable, this setup could lead to:
- Accidental transfer of ownership to an incorrect address.
- Malicious transfer of ownership if the owner's private key is compromised.
- Immediate loss of control over the contract if the ownership is transferred to an invalid or inaccessible address.
- Loss of Control: Immediate and irreversible loss of contract control if ownership is transferred to an incorrect or inaccessible address.
- Security Risk: Increased vulnerability to attacks targeting the owner's account, as ownership transfer is immediate.
No response
Replace Ownable with Ownable2Step from OpenZeppelin:
import { Ownable2Step } from "@openzeppelin/contracts/access/Ownable2Step.sol";
contract MorphoLeverageModule is ModuleBase, ReentrancyGuard, Ownable2Step, IModuleIssuanceHook { // ... (rest of the contract implementation) }
This change implements a two-step ownership transfer process:
- The current owner calls
transferOwnershipto propose a new owner. - The proposed owner must call
acceptOwnershipto complete the transfer.