DittoETH

Summary

Admin Role is a single point of failure which could enable malicious actor to gain control over critical functions in the project.

Assumptions

DAO will be an address controlled by multiple users using multi-sig wallet address and therefore assumed not a centralized, single person, point of failure

Vulnerability Details

There are 19 functions in OwnerFacet.sol (all linked) which can be executed by the wallet with admin privileges. The wallet is initially set in Diamond.sol in the constructor and the role may be transferred to another wallet.

List of the 19 affected functions

transferAdminship(address newAdmin): Allows the admin or DAO to transfer admin rights to another address.
setTithe(uint256 vault, uint16 zethTithePercent): Update eligibility requirements for yield accrual.
setDittoMatchedRate(uint256 vault, uint16 rewardRate): Set the matched rate for Ditto.
setDittoShorterRate(uint256 vault, uint16 rewardRate): Set the shorter rate for Ditto.
setInitialMargin(address asset, uint16 value): Set the initial margin for an asset.
setPrimaryLiquidationCR(address asset, uint16 value): Set the primary liquidation collateral ratio for an asset.
setSecondaryLiquidationCR(address asset, uint16 value): Set the secondary liquidation collateral ratio for an asset.
setForcedBidPriceBuffer(address asset, uint8 value): Set the forced bid price buffer for an asset.
setMinimumCR(address asset, uint8 value): Set the minimum collateral ratio for an asset.
setResetLiquidationTime(address asset, uint16 value): Set the reset time for liquidation for an asset.
setSecondLiquidationTime(address asset, uint16 value): Set the second liquidation time for an asset.
setFirstLiquidationTime(address asset, uint16 value): Set the first liquidation time for an asset.
setTappFeePct(address asset, uint8 value): Set the TAPP fee percentage for an asset.
setCallerFeePct(address asset, uint8 value): Set the caller fee percentage for an asset.
setMinBidEth(address asset, uint8 value): Set the minimum bid in ETH for an asset.
setMinAskEth(address asset, uint8 value): Set the minimum ask in ETH for an asset.
setMinShortErc(address asset, uint16 value): Set the minimum short ERC for an asset.
setWithdrawalFee(address bridge, uint16 withdrawalFee): Set the withdrawal fee for a bridge.
setUnstakeFee(address bridge, uint8 unstakeFee): Set the unstake fee for a bridge.

Impact

The misuse of some of the 19 functions could lead to serious consequences for the protocol.

Market Manipulation

A malicious admin can use functions like setInitialMargin, setPrimaryLiquidationCR, setSecondaryLiquidationCR, etc., to manipulate market conditions. This can lead to unfair liquidations, market crashes, or other unintended consequences for users.

Oracle Manipulation

The setAssetOracle function allows the admin to change the oracle for an asset. A malicious actor can set a compromised or malicious oracle, leading to incorrect price feeds and financial losses for users.

Fee Manipulation

With functions like setTappFeePct, setCallerFeePct, setWithdrawalFee, and setUnstakeFee, the malicious admin can arbitrarily set fees, potentially draining funds from users or making the platform unusable due to exorbitant fees.

Tools Used

Manual Review

Recommendations

Implement robust Access Controls such that one address is not a single point of failure for the entire protocol.
Based on the assumption above, the DAO should be given sole control over sensitive functions and admin can remain in control
of less critical operations.