Stellar Smart Contract Flaw Bypasses Admin Transfer Time-Delay via Same-Transaction Execution

A documented vulnerability in the `common-admin` contract architecture allows the intended two-step admin transfer protection to be defeated through same-transaction execution. The flaw, present in `contracts/common-admin/src/lib.rs`, permits both the `propose_admin` and `accept_admin` functions to execute atomically within a single transaction invocation, eliminating the time-delay safeguard designed to protect against compromised admin keys.

The root cause lies in the absence of any timestamp or ledger sequence validation between the proposal and acceptance steps. The `propose_admin` function stores the pending admin address under `DataKey::PendingAdmin` without recording when the proposal occurred, while `accept_admin` reads and applies this value without verifying whether sufficient time or blocks have elapsed. An attacker with admin credentials can therefore call both functions in sequence through a multi-call contract or batch transaction, collapsing the two-step safeguard into a single atomic state change.

The security implications are direct: any compromise of an admin private key renders the transfer protection ineffective, as the window for detection and response is eliminated entirely. Contracts across the Stellar ecosystem that depend on this pattern for operational security may carry unacknowledged exposure. Projects implementing `common-admin` are advised to audit their deployments and consider introducing explicit time-lock constraints at the contract logic level, such as storing a proposal timestamp and enforcing a minimum ledger gap before acceptance is permitted.