Submission Details
Impact:
Likelihood:
Single Point of Failure in Contract Ownership
Root + Impact
Description
The contract uses OpenZeppelin's `Ownable` pattern with a single owner address that has complete control over critical functions. This creates a single point of failure where the compromise or loss of the owner's private key can severely impact the protocol.
// Root cause in the codebase with @> marks to highlight the relevant section
Risk
Impact:
Risk scenarios include:
- Owner key compromise leading to malicious actions
- Loss of owner key resulting in inability to manage protocol
- Social engineering attacks targeting the owner
- No redundancy or recovery mechanisms
Proof of Concept
All critical functions use onlyOwner modifier
Functions controlled by single owner:
- setAllowedSellToken()
- emergencyWithdrawERC20()
- withdrawFees()
- Any future administrative functions
modifier onlyOwner() {
_checkOwner();
_;
}
Recommended Mitigation
Implement multi-signature wallet ownership using Gnosis Safe or similar
Add role-based access control with separate roles for different functions
Implement governance mechanisms for critical decisions
Add owner rotation capabilities with proper transition
Rewards breakdown
nSLOC
217This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.