The `owner` is a single point of failure and a centralization risk
Summary
Contracts have owners that have privileged rights to perform admin tasks. These owners need to be trusted to not perform malicious updates or drain funds. Having a single Externally Owned Account (EOA) as the sole owner represents a significant centralization and single point of failure.
Vulnerability Details
There are 2 instances of this issue.
Impact
A private key could be stolen, access to a key may lost by accident, an owner could act in a malicious manner. In all cases, the project is at risk for financial loss.
Tools Used
baudit: a custom static code analysis tool; manual review
Recommendations
Admin-only functions that change critical parameters should emit events and have timelocks. Events allow capturing the changed parameters so that off-chain tools/interfaces can register such changes with timelocks that allow users to evaluate them and consider if they would like to engage/exit based on how they perceive the changes as affecting the trustworthiness of the protocol or profitability of the implemented financial services. Allow only multi-signature wallets to call these functions to reduce the likelihood of an attack or unintentional loss.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.