The contractOwner
has total control over the DittoETH protocol, mainly by being able to execute the only external function to upgrade the Diamond Proxy to add, replace or remove facet selectors is through DiamondCutFacet::diamondCut
, which an unique address has absolute control over.
There is no mechanism which enforces him to delegate this control to a DAO or any other non-single point failure.
Even that an onlyDAO
modifier is placed to change the ownership at OwnerFacet::transferOwnership
, this modifier only allows contractOwner
to succesfully pass the modifier, if he decides not doing it, the centralization over the protocol is total.
contractOwner
has complete freedom to change any functionality and withdraw/rug all assets. Even if well intended the project could still be called out resulting in a damaged reputation like in this example.
From minor bugs or unwanted upgrades by the community, to total loss of funds, to DOS.
Manual review
Instead of beginning with total admin access, we recommend the DAO to be set up before the protocol launches, and delegate it the creation, so they have control since the beggining.
Other solutions like multisigs or MPC to mitigate single point of failure in case contractOwner private key leaks or waiting periods where there's a 2 step proposals for the contractOwner
to trigger key functions are also valid and more secure.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.