Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Centralization Risk for trusted owners

chsatyasai133

Summary

The contracts identified in GmxProxy.sol, KeeperProxy.sol, and PerpetualVault.sol have multiple functions that allow the contract owner (admin) to perform sensitive operations such as updating parameters, withdrawing funds, and managing addresses. This introduces a centralization risk, as it relies on the trustworthiness of a single entity (the owner) to act in the best interest of the system. A malicious or compromised owner could exploit this privilege to make malicious updates or drain funds.

Vulnerability Details

In the following instances, the functions are marked with onlyOwner, meaning only the contract owner can execute them:

  • GmxProxy.sol: Functions like setMinEth(), withdrawEth(), and others allow the owner to modify key parameters and withdraw ETH from the contract.

  • KeeperProxy.sol: Functions such as setDataFeed(), setThreshold(), and others give the owner control over critical settings for data feeds and thresholds.

  • PerpetualVault.sol: Functions like setKeeper(), setTreasury(), setMinMaxDepositAmount(), and others allow the owner to manage various aspects of the vault, such as keeper settings, treasury, and deposit limits.

These functions pose a centralization risk, as they allow the contract owner full control over sensitive aspects of the contract. If the owner is malicious or their private keys are compromised, they could perform harmful actions like draining funds or disrupting the contract's operations.

Found Instances:

  1. GmxProxy.sol

    • Line 359: setMinEth()

    • Line 539: withdrawEth()

    • Other onlyOwner functions on lines 555, etc.

  2. KeeperProxy.sol

    • Line 112: setDataFeed()

    • Line 125: setThreshold()

    • Line 135: setMaxTimeWindow()

    • Line 145: setKeeper()

  3. PerpetualVault.sol

    • Line 689: setKeeper()

    • Line 703: setTreasury()

    • Lines 717-746: Other onlyOwner functions

Impact

  • Owner Abuse: The owner has significant control over the contract and can make changes that benefit them at the expense of other participants.

  • Centralized Control: Relying on a single trusted owner creates a single point of failure. If the owner’s private keys are compromised, an attacker could perform malicious operations.

  • Security Risk: A malicious owner could drain funds, change critical parameters, or even break the contract by modifying settings that affect its core functionality.

Tools Used

  • Static Analysis: This issue was identified using static code analysis tools (e.g., Slither, MythX, or CodeQL) to detect the use of onlyOwner access control modifier in sensitive functions.

Recommendations

  1. Decentralize Ownership:

    • Consider using a decentralized approach to governance, such as multi-signature wallets or a DAO (Decentralized Autonomous Organization) to distribute control across multiple trusted parties instead of relying on a single owner.

    • Implement multi-signature mechanisms where multiple signatures from different parties are required to execute sensitive functions.

  2. Audit Owner Permissions:

    • Carefully review the functions that only the owner can execute. Ensure that only those that require admin intervention are restricted to the owner.

    • Limit the scope of onlyOwner functions to reduce the attack surface.

  3. Use Timelocks for Critical Changes:

    • Introduce timelocks for critical functions like setting key parameters or withdrawing funds. This gives the community time to react if any malicious changes are made.

  4. Role-Based Access Control (RBAC):

    • Use role-based access control to create multiple levels of permissions. Allow other trusted participants to have administrative privileges without giving them full ownership rights.

  5. Regular Audits and Monitoring:

    • Implement regular security audits and continuous monitoring to detect any abnormal or unauthorized activities by the contract owner or other privileged users.

  6. Encourage Key Management Best Practices:

    • Ensure that the owner follows secure key management practices, such as using hardware wallets for private key storage and implementing strict access controls to prevent key compromise.

Updates

Lead Judging Commences

n0kto Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Admin is trusted / Malicious keepers

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point. Keepers are added by the admin, there is no "malicious keeper" and if there is a problem in those keepers, that's out of scope. ReadMe and known issues states: " * System relies heavily on keeper for executing trades * Single keeper point of failure if not properly distributed * Malicious keeper could potentially front-run or delay transactions * Assume that Keeper will always have enough gas to execute transactions. There is a pay execution fee function, but the assumption should be that there's more than enough gas to cover transaction failures, retries, etc * There are two spot swap functionalies: (1) using GMX swap and (2) using Paraswap. We can assume that any swap failure will be retried until success. " " * Heavy dependency on GMX protocol functioning correctly * Owner can update GMX-related addresses * Changes in GMX protocol could impact system operations * We can assume that the GMX keeper won't misbehave, delay, or go offline. " "Issues related to GMX Keepers being DOS'd or losing functionality would be considered invalid."

n0kto Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Admin is trusted / Malicious keepers

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point. Keepers are added by the admin, there is no "malicious keeper" and if there is a problem in those keepers, that's out of scope. ReadMe and known issues states: " * System relies heavily on keeper for executing trades * Single keeper point of failure if not properly distributed * Malicious keeper could potentially front-run or delay transactions * Assume that Keeper will always have enough gas to execute transactions. There is a pay execution fee function, but the assumption should be that there's more than enough gas to cover transaction failures, retries, etc * There are two spot swap functionalies: (1) using GMX swap and (2) using Paraswap. We can assume that any swap failure will be retried until success. " " * Heavy dependency on GMX protocol functioning correctly * Owner can update GMX-related addresses * Changes in GMX protocol could impact system operations * We can assume that the GMX keeper won't misbehave, delay, or go offline. " "Issues related to GMX Keepers being DOS'd or losing functionality would be considered invalid."

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.