First Flight #10: One Shot

Summary

The contracts Credibility and OneShot implement privileged functionality that allows an owner to perform administrative tasks. These tasks include functions such as setStreetsContract, which enables the owner to change critical parameters or configurations of the contract.

Vulnerability Details

Contracts have owners with privileged rights to perform admin tasks and need to be trusted to not perform malicious updates or drain funds.

• Found in src/CredToken.sol Line: 8

  contract Credibility is ERC20, Ownable {

• Found in src/CredToken.sol Line: 13

  function setStreetsContract(address streetsContract) public onlyOwner {

• Found in src/OneShot.sol Line: 10

  contract OneShot is IOneShot, ERC721URIStorage, Ownable {

• Found in src/OneShot.sol Line: 20

  function setStreetsContract(address streetsContract) public onlyOwner {

Impact

Centralization Risk: Owners with privileged rights pose a centralization risk as they have the authority to perform administrative actions without oversight or accountability.
Malicious Updates: If a trusted owner decides to abuse their privileges, they could maliciously update contract parameters, drain funds, or disrupt the intended functionality of the contract.
Loss of Trust: Users may lose trust in the contract if they perceive that owners can abuse their privileges, leading to a decrease in user confidence and adoption.

Tools Used

Manual review

Recommendations

Minimize Privileged Roles: Limit the use of privileged roles and minimize the scope of administrative functions to reduce the centralization risk.
Multisig or Governance Mechanisms: Implement multisig wallets or governance mechanisms to introduce checks and balances for administrative actions. This ensures that critical decisions require consensus among multiple parties.
Transparency and Accountability: Ensure transparency and accountability by providing clear documentation of administrative actions and establishing procedures for auditing and oversight.