F-2025-0008·ownership-transfer

Use Ownable2StepUpgradeable instead of OwnableUpgradeable

Acknowledgednftstakingeip-712
TL;DR

Both contracts use single-step OwnableUpgradeable. A typo or front-run on transferOwnership could permanently lose admin control.

Severity
LOW
Impact
LOW
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description

Description

Both GenesisLicense and GenesisLicenseStaking contracts inherit from OpenZeppelin's OwnableUpgradeable:

solidity
contract GenesisLicense is
    GenesisLicenseStorages,
    EIP712Upgradeable,
    OwnableUpgradeable,
    // ...

The OwnableUpgradeable implementation allows ownership to be transferred in a single transaction, which creates risk if:

  1. The owner accidentally transfers to an incorrect address.
  2. The private key of the new owner is not accessible.
  3. The transfer transaction is front-run.
03Section · Impact

Impact

A misdirected transferOwnership cannot be undone. The protocol loses admin control of upgrade and configuration paths.

04Section · Recommendation

Recommendation

Replace OwnableUpgradeable with Ownable2StepUpgradeable in all contracts:

solidity
import "@openzeppelin/contracts-upgradeable/access/Ownable2StepUpgradeable.sol";


contract GenesisLicense is
    GenesisLicenseStorages,
    EIP712Upgradeable,
    Ownable2StepUpgradeable,
    // ...

This implements a two-step ownership transfer process where:

  1. The current owner proposes a new owner (transferOwnership).
  2. The proposed owner must accept ownership (acceptOwnership).

This pattern prevents accidental transfers to wrong addresses and provides stronger security guarantees for critical protocol administration functions.

ZEALYNX SECURITY · published 2025-07-10
F-2025-0008

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx