The contract enforces a list of allowed tokens via a mapping(address => bool)
but this list is fully controlled by a centralized owner
address, with no governance, timelock, or multisig restrictions.
This means a risk of centralized abuse or mismanagement, especially in live environments where token trust and user confidence are critical. A malicious owner can:
Add malicious tokens to the system
Remove valid tokens arbitrarily
Disrupt trading for users
While this is not a technical vulnerability, this design flaw can create trust issues and exposes the protocol to external governance criticism or rug pull accusations.
Likelihood:
This happens anytime token management decisions are left to a single address without review.
Highly likely in low-audited protocols or during active governance changes.
Impact:
Unexpected interruption of protocol availability
Loss of user trust
Integration of malicious ERC20 tokens
Negative reputation or legal risks
Implement access control via governance mechanisms such as:
A Timelock
or a Multisig
These changes enhance transparency and minimize the risk of incorrect use.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.