Trick or Treat

First Flight #27

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

L-1: Centralization Risk Due to Trusted Owner Functions

m3dython

Description:

The contract includes several functions that are restricted to the owner, granting significant control over critical operations such as adding treats, setting treat costs, withdrawing funds, and transferring ownership.

Instances:

Contract Inheritance (Line 9):

contract SpookySwap is ERC721URIStorage, Ownable(msg.sender), ReentrancyGuard {
- The contract inherits from Ownable, setting the deployer as the owner.
addTreat Function (Line 37):

function addTreat(string memory _name, uint256 _rate, string memory _metadataURI) public onlyOwner {
- Allows the owner to add new treats to the contract.
setTreatCost Function (Line 43):

function setTreatCost(string memory _treatName, uint256 _cost) public onlyOwner {
- Enables the owner to modify the cost of existing treats.
withdrawFees Function (Line 146):

function withdrawFees() public onlyOwner {
- Permits the owner to withdraw all Ether held by the contract.
changeOwner Function (Line 156):

function changeOwner(address _newOwner) public onlyOwner {
- Allows the owner to transfer ownership to a new address.

Impact:

Centralization of Control:
- The owner has exclusive authority over essential functions, creating a single point of failure.
- Potential risks include malicious actions by the owner or compromise of the owner's private key.
User Trust Dependency:
- Users must trust that the owner will act in their best interests and not abuse their privileges.
- Any malicious behavior could lead to loss of user funds or manipulation of the contract's functionalities.

Recommendation:

Implement Decentralized Governance:
- Introduce multi-signature (multi-sig) wallets for owner actions to require consensus among multiple parties.
- Utilize decentralized autonomous organization (DAO) mechanisms for critical decisions.
Set Limits on Owner Actions:
- Impose restrictions on how and when the owner can perform sensitive operations.
- Implement time locks for actions like withdrawing funds to provide a buffer for users to react.
Enhance Transparency:
- Make all owner actions and changes transparent and auditable by the public.
- Notify users of any significant changes or updates to the contract.

Updates

Appeal created

bube Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

109

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.