F-2025-0009·ownership-transfer

Custom ownership implementation lacks secure ownership transfer mechanism

Fixedstakingnft-boostrewards
TL;DR

Contract implements a basic onlyOwner modifier with no transferOwnership function or two-step process, risking permanent loss of admin if the owner address is compromised.

Severity
LOW
Impact
LOW
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description

Description

The contract implements a basic ownership mechanism:

solidity
address public owner;


modifier onlyOwner() {
    require(msg.sender == owner, "Only owner can call this function");
    _;
}

However, this implementation:

  1. Lacks ability to transfer ownership (no transferOwnership function).
  2. Has no two-step ownership transfer process.
  3. Could lead to permanent loss of admin functions if the owner address is compromised.

This is particularly concerning given the protocol's roadmap includes transitioning to DAO governance, which will require a secure ownership transfer mechanism.

03Section · Recommendation

Recommendation

Replace the custom ownership implementation with OpenZeppelin's Ownable2Step.

04Section · Resolution

Resolution

Ample Protocol: Fixed.

Zealynx: Verified.

Status
Fixed
ZEALYNX SECURITY · published 2025-05-19
F-2025-0009

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx