search
Active Boosts

58469 sc low pending admin cannot accept ownership

Submitted on Nov 2nd 2025 at 14:30:25 UTC by @ihtishamsudo for Audit Comp | Alchemix V3arrow-up-right

  • Report ID: #58469

  • Report Type: Smart Contract

  • Report severity: Low

  • Target: https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/AlchemistCurator.sol

  • Impacts:

    • Contract fails to deliver promised returns, but doesn't lose value

hashtag
Description

hashtag
Brief/Intro

The acceptAdminOwnership() function in AlchemistCurator.sol uses an incorrect access control modifier (onlyAdmin), preventing the intended new admin from accepting ownership transfer.

hashtag
Vulnerability Details

The acceptAdminOwnership() function is protected by the onlyAdmin modifier, which restricts access to only the current admin:

function acceptAdminOwnership() external onlyAdmin {
    admin = pendingAdmin;
    pendingAdmin = address(0);
    emit AdminChanged(admin);
}

hashtag
Impact Details

The pendingAdmin cannot call acceptAdminOwnership() (reverts with "PD") Only the current admin can call this function

hashtag
References

The pendingAdmin cannot call acceptAdminOwnership() (reverts with "PD") Only the current admin can call this function The current admin can complete the transfer unilaterally without the new admin's consent

hashtag
Proof of Concept

hashtag
Proof of Concept

Include this test in AlchemistCurator.t.sol and execute forge test --match-test "testAcceptAdminOwnershipBug" -vvv

Previous57604 sc high nominal accounting mismatch in moonwell strategies leads to permanent locking of all generated yieldNext57565 sc medium the amount of dust will be permanently locked in stargateethpoolstrategy

Was this helpful?