Trick or Treat

Summary

The SpookySwap contract has significant centralization risks. The owner has excessive control over critical functions, which could be misused for censorship, price manipulation, and mismanaging user funds.

Vulnerability Details

The onlyOwner modifier restricts the following key functions:

• addTreat(): Only the owner can add new NFT treats, controlling their name, cost, and metadata. This allows for censorship and manipulation of NFT properties.

• setTreatCost(): The owner can arbitrarily change the cost of existing treats. This could be used to unfairly increase prices, harming users who bought treats at a lower cost.

• withdrawFees(): Only the owner can withdraw all ETH accumulated in the contract. This creates a single point of failure, making funds vulnerable to theft or loss if the owner's private key is compromised.

Impact

• Censorship: The owner can prevent certain NFTs from being added or make them too expensive, restricting user choice and potentially suppressing content.

• Price Manipulation: The owner can manipulate and treat costs for personal gain, exploiting users unaware of sudden price changes.

• Fund Mismanagement: The owner has sole control over contract funds, raising concerns about potential misuse or loss due to security breaches or malicious intent.

Tools Used

• Aderyn & AuditX

Recommendations

To reduce these centralization risks:

• Decentralized Governance: Implement a DAO where token holders can propose and vote on adding new treats, setting costs, and withdrawing fees.

• Multi-sig Wallet: Use a multi-signature wallet for owner functions, requiring multiple parties to approve critical actions.

• Time-locked Changes: Introduce time delays for price adjustments, allowing users to react and potentially withdraw funds if they disagree with the changes.

• Transparent Fee Distribution: Implement a clear and automatic way to distribute fees to stakeholders, reducing the owner's control over the funds.