Description

The FuseFeeDistributor, FusePoolDirectory and CurveLpTokenPriceOracleNoRegistry contracts implement OwnableUpgradeable which provides a method named renounceOwnership that removes the current owner (Reference↗). This is likely not a desired feature.

Impact

If renounceOwnership were called, the contract would be left without an owner.

Recommendations

Override the renounceOwnership function:

function renounceOwnership() public override onlyOwner{
    revert("This feature is not available.");
}

Remediation

Ionic Protocol states that they may remove ownership of the contracts in the future, so the renounceOwnership functionality remains. However, they have implemented a two step ownership change pattern for added safety when transferring contract ownership in commit eeea03↗.

Ionic Protocol states, "in the future we may want to completely remove ownership on the contracts and allow the system to work permissionlessly. All of the contracts are set up to make this possible, so we do not see this as an issue."