Lines of code

Vulnerability details

Impact

During the code review, It has been observed that access control mechanisms are checked with the following line.

        LibDiamond.enforceIsContractOwner();

The withdraw gaves abilitiy to contract owner extract all funds are sent to contract. This poses centralization risk.

#Proof of Concept

Tools Used

Code Review

Recommended Mitigation Steps

We advise the client to carefully manage the onlyMasterMinter account private key to avoid any potential risks
of being hacked. In general, we strongly recommend centralized privileges or roles in the protocol to be
improved via a decentralized mechanism or smart-contract-based accounts with enhanced security
practices, e.g., Multisignature wallets.

• Define maximum total supply.
• Indicatively, here is some feasible suggestions that would also mitigate the potential risk at the different
  level in term of short-term and long-term goal:
• Time-lock with reasonable latency, e.g. 48 hours, for awareness on privileged operations;
  Assignment of privileged roles to multi-signature wallets to prevent a single point of failure due to the
  private key;
• Introduction of a DAO/governance/voting module to increase transparency and user involvement.

The text was updated successfully, but these errors were encountered:

All reactions