DittoETH

Summary

The contractOwner has total control over the DittoETH protocol, mainly by being able to execute the only external function to upgrade the Diamond Proxy to add, replace or remove facet selectors is through DiamondCutFacet::diamondCut, which an unique address has absolute control over.
There is no mechanism which enforces him to delegate this control to a DAO or any other non-single point failure.

Vulnerability Details

Even that an onlyDAO modifier is placed to change the ownership at OwnerFacet::transferOwnership, this modifier only allows contractOwner to succesfully pass the modifier, if he decides not doing it, the centralization over the protocol is total.
contractOwner has complete freedom to change any functionality and withdraw/rug all assets. Even if well intended the project could still be called out resulting in a damaged reputation like in this example.

Impact

From minor bugs or unwanted upgrades by the community, to total loss of funds, to DOS.

Tools Used

Manual review

Recommendations

Instead of beginning with total admin access, we recommend the DAO to be set up before the protocol launches, and delegate it the creation, so they have control since the beggining.
Other solutions like multisigs or MPC to mitigate single point of failure in case contractOwner private key leaks or waiting periods where there's a 2 step proposals for the contractOwner to trigger key functions are also valid and more secure.