Centralized Control Risk in DittoETH due to Diamond Contract Owner Privileges
Summary
The OwnerFacet contract provides central administration over the Ditto protocol, enabling key functionalities like market and vault creation. However, areas of concern arise due to the potential for centralization, misconfiguration, and exploitation through the Diamond contract owner.
Vulnerability Details
Centralized Control: Critical functions like market creation and oracle assignment are controlled by the Diamond contract owner.
Ownership Transfer Mechanism: There's a mechanism to transfer and claim ownership. If the Diamond contract owner is compromised, it could lead to malicious takeovers.
Potential for Misconfiguration: The protocol parameters related to markets can be adjusted, with potential for destabilization if misconfigured.
Reflection on Protocol's Claim
DittoETH claims to be a "decentralized pegged asset issuance protocol built on Ethereum." The protocol promises to offer censorship resistance, neutrality, custody-less and permissionless trades, and collateral management. Given the centralized control observed in the OwnerFacet contract by the Diamond contract owner, DittoETH's decentralization and censorship-resistance claims are called into question.
Impact
A compromised Diamond contract owner can lead to protocol exploitation, affecting users' funds and system stability. Misconfiguration of market parameters could also cause disruption.
Tools Used
Manual Code Review
Recommendations
Decentralize Governance: Ensure that decision-making is transparent and decentralized.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.