F-2025-0024·ownership-pattern

Consider using Ownable2Step instead of Ownable

Acknowledgedvaultetfstrategyd2-contracts
TL;DR

VaultV3 and VaultV0 use the single-step OpenZeppelin Ownable pattern. Switching to Ownable2Step requires the new owner to claim ownership in a second transaction, removing the risk of permanently bricking the contract by transferring to a wrong or inaccessible address.

Severity
INFO
Impact
LOW
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description

Description

The VaultV3 and VaultV0 contracts use OpenZeppelin's Ownable for access control. While secure, this single-step ownership transfer pattern risks permanently locking the contracts if ownership is accidentally transferred to an invalid or inaccessible address.

Consider using Ownable2Step instead, which requires the new owner to accept ownership in a separate transaction. This two-step pattern is considered best practice as it prevents accidental transfers and ensures the new owner can actually interact with the contract.

03Section · Resolution

Resolution

D2: Ignored "Consider using Ownable2Step instead of Ownable", we'll consider it for the future.

Cyfrin: Acknowledged.

ZEALYNX SECURITY · published 2025-02-24
F-2025-0024