Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Role Assignment and Ownership Transfer Risks

m3dython

Root Cause:
The ProxyAdmin ownership is assigned to msg.sender (the deployer) in the MembershipFactory contract, which could be a single externally owned account (EOA).

Impact:

  • Centralization Risk: If the deployer's private key is compromised, an attacker gains control over the ProxyAdmin, allowing them to upgrade proxy contracts to malicious implementations.

  • Single Point of Failure: The security of the entire system hinges on the deployer's private key security.

Recommendation:

  • Transfer ownership of the ProxyAdmin to a multisig wallet or a DAO governance contract.

  • Implement role-based access controls with multiple administrators to distribute permissions.

  • Regularly audit and monitor administrative roles and ownership structures.

Conclusion:
The identified vulnerabilities stem from improper implementations and inadequate security measures. Addressing these issues is crucial to ensure the safety and reliability of the contracts. It is recommended to perform a comprehensive security audit and apply best practices in smart contract development.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice
0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!