Overcentralized Emergency Withdrawal Function Enables Owner to Drain User-Listed Tokens
[M-1] Overcentralized Emergency Withdrawal Function Enables Owner to Drain User-Listed Tokens
Description:
The contract implements an emergencyWithdrawERC20 function restricted by onlyOwner. While this function explicitly prevents the withdrawal of core tokens (WETH, WBTC, WSOL, USDC), it still allows the owner to withdraw any other user-listed or locked tokens.
This introduces a significant centralization risk: the owner can arbitrarily drain seller deposits or listed tokens, violating user trust and undermining the protocol’s decentralization guarantees.
Impact:
Users who list or lock non-core tokens in the protocol risk losing their funds if the owner:
-
Maliciously executes the function.
-
Gets compromised (e.g., owner’s private key leak).
Even if the function is used with good intentions (e.g., to recover stuck tokens), it still creates custodial risk inconsistent with trustless DeFi principles.
Could negatively affect protocol reputation and adoption.
Recommended Mitigation:
To mitigate this risk:
-
Remove the emergencyWithdrawERC20 function entirely, making the protocol fully non-custodial.
-
Alternatively, replace onlyOwner with a:
Timelock contract: schedule withdrawals, giving users time to react.Multisig wallet: require multiple trusted parties to approve.Governance mechanism (DAO voting): decentralize control further. -
Clearly document emergency procedures to set correct user expectations.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.