# 57746 sc low broken contract ownership logic at alchemistv3 sol **Submitted on Oct 28th 2025 at 16:28:14 UTC by @Cyborg for** [**Audit Comp | Alchemix V3**](https://immunefi.com/audit-competition/alchemix-v3-audit-competition) * **Report ID:** #57746 * **Report Type:** Smart Contract * **Report severity:** Low * **Target:** * **Impacts:** * Broken contract ownership transfer logic ## Description ## Brief/Intro Broken contract ownership logic at AlchemistV3.sol due to impossible accept ownership method. ## Vulnerability Details Inside *src/AlchemistCurator.sol* there are 2 methods to handle the admin transfership - methods `transferAdminOwnerShip` and `acceptAdminOwnership`. The problem here is that both methods are created with modifier `onlyAdmin` meaning that the selected `pendingAdmin` at method `transferAdminOwnerShip` can't really request method `acceptAdminOwnership` in order to accept the admin role, because he is not yet the admin thus the `onlyAdmin` modifier will revert. There is no way for the `pendingAdmin` to accept the ownership and there is no way for the current `admin` to force transfer the ownership. The smart contract has very important methods for Morpho's Vault V2 that are protected with the `onlyAdmin` modifier. ## Impact Details The AlchemistV3 contract being stuck with the initial admin. ## Recommendation Remove the `onlyAdmin` modifier from method `acceptAdminOwnership` and add validation to check if the `msg.sender == pendingAdmin`: ``` function acceptAdminOwnership() external { require(msg.sender == pendingAdmin, InvalidPendingAdmin()); admin = pendingAdmin; pendingAdmin = address(0); emit AdminChanged(admin); } ``` ## Proof of Concept ## Proof of Concept Create file `src/test/AlchemistCurator.test_acceptAdminOwnership.t.sol` and run it with command `forge test src/test/AlchemistCurator.test_acceptAdminOwnership.t.sol -vv`: ``` // SPDX-License-Identifier: MIT pragma solidity 0.8.28; import "forge-std/Test.sol"; import {MockAlchemistCurator} from "./mocks/MockAlchemistCurator.sol"; contract AlchemistCuratorTest is Test { MockAlchemistCurator public mytCuratorProxy; address public admin = address(0x4444444444444444444444444444444444444444); // DAO OSX address public newAdmin = address(0x123); function setUp() public { vm.startPrank(admin); mytCuratorProxy = new MockAlchemistCurator(admin, admin); vm.stopPrank(); } function test_acceptAdminOwnership() public { vm.startPrank(admin); assertEq(mytCuratorProxy.pendingAdmin(), address(0)); mytCuratorProxy.transferAdminOwnerShip(newAdmin); assertEq(mytCuratorProxy.pendingAdmin(), newAdmin); vm.startPrank(newAdmin); vm.expectRevert(bytes("PD")); // error returned from https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/utils/PermissionedProxy.sol#L18 mytCuratorProxy.acceptAdminOwnership(); } } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/alchemix-v3/57746-sc-low-broken-contract-ownership-logic-at-alchemistv3-sol.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.