# 57479 sc low logical bug in alchemistcurator acceptadminownership asking to current admin to accept ownership **Submitted on Oct 26th 2025 at 15:04:50 UTC by @Eagle\_Eye for** [**Audit Comp | Alchemix V3**](https://immunefi.com/audit-competition/alchemix-v3-audit-competition) * **Report ID:** #57479 * **Report Type:** Smart Contract * **Report severity:** Low * **Target:** * **Impacts:** * Protocol insolvency ## Description ## Brief/Intro There is a logical issue in `AlchemistCurator::acceptAdminOwnership`, where only admin can call the function but pending admin should as in `AlchemistStrategyClassifier::acceptOwnership` ## Vulnerability Details There are two state variables, `admin` and `pendingAdmin`. When admin calls `AlchemistCurator::transferAdminOwnerShip`, the `pendingAdmin` is set. And then only admin can call `acceptOwnership`, but in actual, `pendingAdmin` should call this function. Means admin transfers and accepts ownership itself, and even if it is intentional , second function is useless, can be done in the first function alone. ## Impact Details * Admin can transfer and accept ownership by itself, by transferring ownership to malicious user. ## References . ## Proof of Concept ## Proof of Concept // SPDX-License-Identifier: MIT pragma solidity 0.8.28; import { Test } from "forge-std/Test.sol"; import { AlchemistCurator } from "./AlchemistCurator.sol"; contract TestAlchemistCurator is Test { ``` address admin = address(0x123); address operator = address(0x234); address pendingAdmin = address(0x456); AlchemistCurator alchemistCurator; function setUp() public { alchemistCurator = new AlchemistCurator(admin, operator); } function test_AdminTransferAndAcceptOwnership() public { vm.startPrank(admin); alchemistCurator.transferAdminOwnerShip(pendingAdmin); alchemistCurator.acceptAdminOwnership(); vm.stopPrank(); } ``` } --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/alchemix-v3/57479-sc-low-logical-bug-in-alchemistcurator-acceptadminownership-asking-to-current-admin-to-accept.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.