Centralized Control in `Lender` and `Staking` Contracts
Summary
The Beedle contract inherits from ERC20Votes, indicating intentions towards a decentralized governance mechanism. However, there's a lack of proper governance logic and no governor defined, which could lead to centralization risks.
Vulnerability Detail
The Lender and Staking contracts utilize the Ownable pattern, giving a singular account extensive control over key functions and parameters especially the Lender contract which has key ownable setter functions. With the absence of a decentralized governance mechanism, this centralizes power and poses risks to the protocol and its users.
Impact
If the owner's private key is compromised, an attacker could have unfettered access to manipulate the contract.
Without a clear governance mechanism, the owner has unilateral control, which can be misused, either intentionally or unintentionally.
Users and stakeholders have no say in decisions, and there's no transparency in how or why decisions are made.
Tools Used
A thorough review of the code base was conducted to identify this issue.
Recommendation:
Transition from a centralized Ownable structure to a more decentralized governance mechanism.
Implement a clear governance mechanism, define a governor, and ensure that token holders can participate in governance as indicated by the use of ERC20Votes.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.