[LSP0] Improve LSP0 Anti-Phishing by Adding Transfer Delay #195
Description
Issue Description
LSP0 relies on LSP14 for ownership management, which is beneficial in preventing accidental ownership transfers by mitigating common mistakes such as typos in addresses. However, LSP14 does not provide protection against phishing attacks.
Currently, LSP14 allows attackers to trick users into signing a transferOwnership transaction, which can then be accepted by the attacker as soon as it's mined. This single-step process is vulnerable to phishing attacks.
In contrast, the renounceOwnership process in LSP14 requires two steps and enforces a delay between them. This delay helps reduce the risk of successful phishing attacks since the attacker cannot immediately request the user to sign the subsequent transaction.
Proposed Solution
To enhance the phishing protection in LSP0, we suggest implementing a similar mechanism to the renounceOwnership process for transferOwnership:
After a user initiates a transferOwnership transaction, the recipient address cannot accept ownership until a predefined delay period has passed.
If the new owner does not accept ownership within the limited time window, the transfer is invalidated.
By adding this delay, interfaces can display warnings or notifications to the user regarding the ownership transfer, giving them a chance to rectify any mistakes. Additionally, integration with mobile, email, or SMS services can alert users of ownership transfers, allowing them to take quick action if needed, similar to receiving notifications when someone logs into their Google account.
This proposed solution strengthens LSP0 against phishing attacks, providing a more robust protection mechanism for ownership transfers.