Description

In the swap contract, the current owner can call ChangeOwner to change the owner to a new owner; however, the input is not checked at all:

public override Empty ChangeOwner(Address input)
{
    AssertSenderIsAdmin();
    State.Admin.Value = input;
    return new Empty();
}

Impact

If the input contains an incorrect address or the address of a contract incapable of calling ChangeOwner, ownership may become locked.

Recommendations

We recommend implementing a two-step admin-transfer method, where the current admin can arbitrarily set a ProposedAdmin, and then the named ProposedAdmin can call another method to accept ownership.

While this does not completely prevent the possibility of ownership being locked, it decreases the likelihood of human error that would otherwise switch the State.Admin.Value to an address incapable of administrating the swap contract.

Remediation

In commit , Awaken Finance improved this function by ensuring that the owner was not accidentally set to null, but they did not implement a two-step admin transfer. We recommend implementing a two-step admin-transfer method to prevent the possibility of ownership being locked, but the risk has been reduced by this change.