InitializableOwnable Manual Review Findings

IOL-01M: Ownership Pull-Over-Push Pattern

Description:

The current ownership system uses a push pattern whereby a new owner simply overwrites the previously set one without any form of acknowledgement validation.

Example:

Copy
75function _transferOwnership(address newOwner) internal {
76    require(newOwner != address(0), "InitializableOwnable: new owner is the zero address");
77    emit OwnershipTransferred(_owner, newOwner);
78    _owner = newOwner;
79}

Recommendation:

We advise the pull-over-push pattern to be applied whereby a new owner is instead proposed and consequently needs to accept ownership, signaling that they are aware of ownership and a controlled account.

Alleviation:

The development team has acknowledged this exhibit but decided to not apply its remediation in the current version of the codebase.