The owner is a single point of failure and a centralization risk

Lines of code 56, 109, 127, 172, 219, 250, 115, 131, 154, 116, 131https://github.com/Tapioca-DAO/tapiocaz-audit/blob/bcf61f79464cfdc0484aa272f9f6e28d...

The owner is a single point of failure and a centralization risk

Lines of code 56, 109, 127, 172, 219, 250, 115, 131, 154, 116, 131https://github.com/Tapioca-DAO/tapiocaz-audit/blob/bcf61f79464cfdc0484aa272f9f6e28d...

The onlySeaport is a single point of failure and a centralization risk

Lines of code Vulnerability details Impact The onlySeaport holds a lot of power within the system, which can compromise the system integrity and it's permission-less nature. Having a single EOA as onlySeaport is a large centralization risk and a single point of failure. A single private key may b...

Governor relay() functions can be used to bypass voting an directly run critical SecurityCouncilManager functions

Lines of code https://github.com/ArbitrumFoundation/governance/blob/c18de53820c505fc459f766c1b224810eaeaabc5/src/security-council-mgmt/governors/SecurityCouncilNomineeElectionGovernor.sol...

LiquidationQueue brings centralization risk in the contract.

Lines of code Vulnerability details Impact the owner has too much unilateral control over liquidations and can manipulate te country in the following ways: The owner of LiquidationQueue sees a profitable liquidation opportunity Before anyone else can liquidate, they use LiquidationQueue to place ...

The admin is a single point of failure and a centralization risk

Lines of code Vulnerability details Impact Having a single EOA as the only owner of contracts is a large centralization risk and a single point of failure. A single private key may be taken in a hack, or the sole holder of the key may become unable to retrieve the key when necessary. Consider...

Upgraded Q -> 2 from #112 [1686922871117]

Judge has assessed an item in Issue 112 as 2 risk. The relevant finding follows: | | Issue | Instances ---|---|--- M-1 | Centralization Risk for trusted owners | 19 M-1 Centralization Risk for trusted owners Impact: Contracts have owners with privileged rights to perform admin tasks and need to b...

The owner is a single point of failure and a centralization risk.

Lines of code Vulnerability details Impact & Vunerability Details. Having a single EOA as the only owner of contracts is a large centralization risk and a single point of failure, as this contract's owner can perform roles of high importance to the protocol. A single private key may be taken in a...

Centralization risk for trusted owners

Lines of code Vulnerability details Description: Contracts have owners that have privileged rights to perform admin tasks. These owners need to be trusted to not perform malicious updates or drain funds. Having a single Externally Owned Account EOA as the sole owner represents a significant...

The owner is a single point of failure and a centralization risk

Lines of code Vulnerability details Impact Having a single EOA as the only owner of contracts is a large centralization risk and a single point of failure. A single private key may be taken in a hack, or the sole holder of the key may become unable to retrieve the key when necessary. Similar...

The owner is a single point of failure and a centralization risk (06 Instances)

Lines of code Vulnerability details Impact Having a single EOA as the only owner of contracts is a large centralization risk and a single point of failure. A single private key may be taken in a hack, or the sole holder of the key may become unable to retrieve the key when necessary. Tools Used...

Permit authorized callers can burn any amount of BYTES 2.0 tokens from an arbitrary address

Lines of code Vulnerability details Impact Using the burn function of BYTES 2.0, an authorized caller can burn an arbitrary amount of tokens from any address. I'm aware that it was mentioned in README.md of the project that this type of finding is out of the scope. but I believe it is still...

In the beginning its relatively easy to gain majority share

Lines of code Vulnerability details Impact As mentioned in the document, Although possible, the permissions to execute arbitrary actions or upgrade the DAO should not be given to EOAs as this poses a security risk to the organization if the account is compromised or acts adversarial. Instead, the...

Upgraded Q -> M from #229 [1674661320954]

Judge has assessed an item in Issue 229 as M risk. The relevant finding follows: Centralization Risk Contract: Impact: It seems the poolAdmin holds too much power including changing reward controller, rescue tokens etc. This can allow poolAdmin to impact all users by changing the config or draini...

Owner can rug PrePOMarket using re-initialized finalLongPayout.

Lines of code Vulnerability details Description In PrePOMarket.sol, the finalLongPayout represents the finalized value of a single long token in the market. It is settled post ICO / IPO according to predetermined rules. The issue is that this value may be re-initialized as many times as owner...

Upgraded Q -> M from #400 [1670236164031]

Judge has assessed an item in Issue 400 as M risk. The relevant finding follows: L04 - LiquidStakingManager.dao can rug node operators with executeAsSmartWallet daoCommissionPercentage is used to calculate the portion of node operator network rewards that are sent to dao, when a node runner is...

Excessive owner privilege - can freeze pledge creator's funds after pledging period completed.

Lines of code Vulnerability details Description The retrievePledgeRewards function is used by pledge creator, only after pledge endTimestamp has passed. It will collect for the creator all unused reward tokens. Since it can only operate after endTimestamp, the pledge has for all intents and...

[NAZ-M2] MINTER_ROLE Can Be Granted By The Deployer and Can Mint Arbitrary Amount of Tokens

Lines of code Vulnerability details Impact If the private key of the deployer or an address with the MINTER is compromised, the attacker will be able to mint an unlimited amount of tokens. I believe this is unnecessary and poses a serious centralization risk. Tools Used Manual Review Recommended...

[NAZ-M2] Centralization Risk with "voter_admin" Has The Ability To mintTo/BurnFrom Any Arbitrary Amount of VOTES

Lines of code Vulnerability details Impact "voteradmin" has the ability to mint/burn any arbitrary amount of VOTES. Creating a centralization risk that allows "voteradmin" to pass or veto any proposal. Proof of Concept 1. Alice submits a proposal that benefits the users at an expense of Mallory's...

Upgraded Q -> M from 9 [1659036743700]

Judge has assessed an item in Issue 9 as Medium risk. The relevant finding follows: Centralized risk The operator address can mint arbitrary amount of tokens. In addition, operator can also burn tokens from third-party accounts. If the private key of the owner or minter address is compromised, th...