Single-step ownership transfer in BridgeToken contract
BridgeToken uses single-step ownership transfer via OwnableUpgradeable; a mistyped address in transferOwnership permanently loses control over all onlyOwner functions.
Description
In the BridgeToken contract, ownership is managed using the OwnableUpgradeable contract, which implements a single-step transfer of ownership. This approach directly assigns the new owner without any confirmation step. If the address passed to the transfer function is incorrect, it could result in the permanent loss of control over the contract.
Example from BridgeToken:
contract BridgeToken is Initializable, UUPSUpgradeable, ERC20Upgradeable, OwnableUpgradeable {// Contract implementation}
Impact
The BridgeToken contract currently uses a single-step ownership transfer mechanism by extending the OwnableUpgradeable contract. This means that when ownership is transferred, the new owner is immediately given full control. If an incorrect address is specified during this transfer, ownership can be irretrievably lost. This can have severe consequences for methods marked with onlyOwner, which include critical protocol functions.
Recommendation
It is a best practice to use a two-step ownership transfer pattern. This involves setting the new owner to a "pending" state, and the new owner must explicitly accept the ownership. This mitigates the risk of accidentally transferring ownership to an incorrect address.
Consider using OpenZeppelin's Ownable2StepUpgradeable contract, which implements the two-step ownership transfer pattern.
Steps to implement:
- Update the inheritance: replace
OwnableUpgradeablewithOwnable2StepUpgradeable. - Modify the contract: update the contract to use
Ownable2StepUpgradeablefor ownership management.
Resolution
Resolved.
