search
Active Boosts

58423 sc low pending admin cannot accept ownership transfer in alchemistcurator

Submitted on Nov 2nd 2025 at 08:39:40 UTC by @Ekene for Audit Comp | Alchemix V3arrow-up-right

  • Report ID: #58423

  • Report Type: Smart Contract

  • Report severity: Low

  • Target: https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/AlchemistCurator.sol

  • Impacts:

    • Pending Admin Cannot Accept Ownership Transfer

hashtag
Description

hashtag
Summary

When the current admin calls transferAdminOwnerShip() to set a new pendingAdmin, the transfer cannot be completed because the acceptAdminOwnership() function is restricted by the onlyAdmin modifier. Since the pendingAdmin is not yet the admin, they cannot successfully call this function, effectively breaking the intended admin transfer flow.

hashtag
Impact

Admin ownership transfer becomes impossible. This could permanently lock administrative privileges to the original admin and prevent future upgrades or configuration changes.

hashtag
Root Cause

The acceptAdminOwnership() function uses the onlyAdmin modifier, preventing the pendingAdmin from executing it.

hashtag
Recommended Mitigation

Remove the onlyAdmin restriction and explicitly allow the pending admin to accept ownership:

hashtag
Proof of Concept

hashtag
Proof of Concept

Previous57272 sc medium silent failures on moonwell deposit are not catched by strategyNext57632 sc high inflated tvl in mytsharesdeposited hides protocol insolvency

Was this helpful?