Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Centralization Risk Analysis in StabilityPool Contract

Deleted user

Summary

The StabilityPool contract exhibits significant centralization risks through numerous privileged owner functions that control critical protocol parameters and operations without sufficient checks and balances.

Vulnerable Code Locations

// Owner can add/remove managers and control allocations

function addManager(address manager, uint256 allocation) external onlyOwner

function removeManager(address manager) external onlyOwner

function updateAllocation(address manager, uint256 newAllocation) external onlyOwner

// Owner controls critical protocol addresses

function setRAACMinter(address _raacMinter) external onlyOwner

function setLiquidityPool(address _liquidityPool) external onlyOwner

// Owner controls market configurations

function addMarket(address market, uint256 allocation) external onlyOwner

function removeMarket(address market) external onlyOwner

function updateMarketAllocation(address market, uint256 newAllocation) external onlyOwner

// Emergency controls

function pause() external onlyOwner

function unpause() external onlyOwner

Impact

Protocol Manipulation
- Owner can arbitrarily add/remove managers who control liquidations
- Can pause all user operations without delay
- Can redirect protocol flows by changing critical addresses
Economic Risks
- Control over market allocations affects reward distribution
- Manager allocation changes can impact liquidation processes
- No timelock on parameter changes allows instant modifications
Trust Requirements
- Users must fully trust owner not to abuse powers
- No governance oversight on parameter changes
- Single account holds emergency powers

Proof of Concept

// Example of potential manipulation

function manipulateProtocol() external {

// 1. Owner adds malicious manager

stabilityPool.addManager(attacker, type(uint256).max);

// 2. Pause protocol to prevent withdrawals

stabilityPool.pause();

// 3. Manager drains funds through liquidations

stabilityPool.liquidateBorrower(victimAddress);

}

Recommended Mitigation

Implement Timelocks

contract StabilityPool is IStabilityPool, TimelockController {

uint256 public constant TIMELOCK_DELAY = 2 days;

function setLiquidityPool(address _liquidityPool) external {

require(isOperationPending(keccak256("setLiquidityPool")), "Timelock not initiated");

// ...existing implementation...

}

Add Multi-signature Requirements

modifier onlyMultisig() {

require(multisig.isConfirmed(msg.sig, msg.sender), "Requires multi-sig");

}

Implement Governance Controls

Add DAO voting for parameter changes
Require community approval for critical changes
Set maximum limits on parameter values

Enhanced Event Logging

event ProtocolParameterChanged(

string indexed parameterName,

address indexed actor,

uint256 oldValue,

uint256 newValue,

uint256 timestamp

);

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!