Summary:

Centralized Risks for trusted owners

Vulnerability Details:

The Zaros(part 2) contract has a centralization risk due to its reliance on the onlyOwner modifier. This means that the contract's critical functions can only be executed by the owner. This includes creating, funding, and closing contests, which centralizes control and decision-making power in a single entity or account.

Found in src/external/chainlink/keepers/BaseKeeper.sol [Line: 36](src/external/chainlink/keepers/BaseKeeper.sol#L36)

```solidity

function setForwarder(address forwarder) external onlyOwner {

```

- Found in src/external/chainlink/keepers/BaseKeeper.sol [Line: 59](src/external/chainlink/keepers/BaseKeeper.sol#L59)

```solidity

function _authorizeUpgrade(address) internal override onlyOwner { }

```

Impact:

• Single Point of Failure: If the owner loses access to their account (e.g., private key compromise), the contract's functionality could be disrupted.

• Malicious Actions: The owner could potentially act maliciously, such as misappropriating funds or manipulating contest outcomes.

• Lack of Transparency: Participants in the contests may have reduced trust due to the centralized control.

Tools Used

Proof of Concept: The following functions in the Zaros contract demonstrate centralization risk:

• Zaros:: setForwarder => only the Keeper's forwarder contract can call a function.

• Zaros::_authorizeUpgrade => While upgrading someone may change the implementation address.

Recommendations:

Decentralized Governance: Implement a multi-signature wallet or DAO (Decentralized Autonomous)