Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-11-PARASPACE-FINDINGS-ISSUES-513
HistoryJan 25, 2023 - 12:00 a.m.

Upgraded Q -> M from #229 [1674661320954]

2023-01-2500:00:00
Code4rena
github.com
5
upgraded
issue #229
m risk
centralization risk
mintableincentivizederc721.sol
impact
pooladmin
users
recommendation
multisig
timelock
JSON

Judge has assessed an item in Issue #229 as M risk. The relevant finding follows:

Centralization Risk
Contract:
<https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/protocol/tokenization/base/MintableIncentivizedERC721.sol#L131&gt;

Impact:
It seems the poolAdmin holds too much power including changing reward controller, rescue tokens etc. This can allow poolAdmin to impact all users by changing the config or draining the contract. In this example we will see one example for setIncentivesController

Steps:

PoolAdmin calls setIncentivesController and set rewardController to zero
This causes Users will stop getting incentives on their stakes. So if User decides to burn then the reward incentives are gone permanently
Recommendation:
Keep the poolAdmin as multiSig and behind timelock to prevent immediate changes

The text was updated successfully, but these errors were encountered:

All reactions

JSON