Source: OpenZeppelin Midnight - Compact Contracts Audit
Description
The Ownable contract claims to support experimental circuits to grant ownership to contract addresses. However, it authenticates against the left side of the owner, which corresponds to the public key side. Therefore, the experimental circuits cannot be used.
Moreover, this discrepancy can be used to bypass the non-zero owner validation by setting is_left to false and a non-zero (irrelevant) contract address. This will pass validation but the actual owner would still be the public key, which could be set to zero.
Recommendation
Consider allowing the assertOnlyOwner circuit to support contract addresses.
Source: OpenZeppelin Midnight - Compact Contracts Audit
Description
The
Ownablecontract claims to support experimental circuits to grant ownership to contract addresses. However, it authenticates against theleftside of the owner, which corresponds to the public key side. Therefore, the experimental circuits cannot be used.Moreover, this discrepancy can be used to bypass the non-zero owner validation by setting
is_lefttofalseand a non-zero (irrelevant) contract address. This will pass validation but the actual owner would still be the public key, which could be set to zero.Recommendation
Consider allowing the
assertOnlyOwnercircuit to support contract addresses.