search
Active Boosts

56332 sc low pending admin cannot accept ownership

Submitted on Oct 14th 2025 at 16:51:59 UTC by @PotEater for Audit Comp | Alchemix V3arrow-up-right

  • Report ID: #56332

  • Report Type: Smart Contract

  • Report severity: Low

  • Target: https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/AlchemistCurator.sol

  • Impacts:

hashtag
Description

hashtag
Brief/Intro

The function acceptAdminOwnership is guarded with the onlyAdmin modifier.

This is a mistake, because the pending admin cannot accept ownership, because he is not yet an admin when claiming the ownership.

hashtag
Vulnerability Details

The function transferAdminOwnerShip sets the pendingAdmin address. Then, the pendingAdmin is expected to call acceptAdminOwnership and accept his ownership. However, this is not possible, because the pending admin is not yet an admin.

Code snippet:

   // ===== Admin Management =====
    function transferAdminOwnerShip(address _newAdmin) external onlyAdmin {
        pendingAdmin = _newAdmin;
    }

    function acceptAdminOwnership() external onlyAdmin {
        admin = pendingAdmin;
        pendingAdmin = address(0);
        emit AdminChanged(admin);
    }

hashtag
Impact Details

The impact is that the pending admin cannot accept the ownership.

This is a Denial of Service.

hashtag
References

https://github.com/alchemix-finance/v3-poc/blob/b2e2aba046c36ff5e1db6f40f399e93cd2bdaad0/src/AlchemistCurator.sol#L31

hashtag
Proof of Concept

hashtag
Proof of Concept

This PoC demonstrates how a pending admin tries to call acceptAdminOwnership but fails due to the onlyAdmin modifier:

Add this function in the AlchemistCurator.t.sol test file:

Previous57668 sc high missing collateral tracking update during liquidation leads to inflated total value calculation and delayed under collateralization protectionNext58276 sc critical uncapped feeinyield in resolverepaymentfee allows for collateral theft from other depositors

Was this helpful?