Unrestricted transferOwnership
Description
The transferOwnership function is not restricted to the owner, allowing any user to transfer ownership of the contract.
Examples
Insecure Code
solidity
function transferOwnership(address newOwner) public {}Secure Code
solidity
function transferOwnership(address newOwner) public { require(msg.sender == owner, 'Only the owner can transfer ownership'); owner = newOwner; }Remediation
Add a require statement to restrict the transferOwnership function to the owner, such as require(msg.sender == owner, 'Only the owner can transfer ownership');
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0202 |
| Category | AccessControl |
| Severity | CRITICAL |
| CWE | CWE-284 |
| Confidence | LOW |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | smart contract, access control |
| OWASP | N/A |
References
- https://www.bscscan.com/address/0xe48b75dc1b131fd3a8364b0580f76efd04cf6e9c
- https://medium.com/quillhash/decoding-ragnarok-online-invasion-44k-exploit-quillaudits-261b7e23b55