79 matches found
Centralization risk for trusted owners
Lines of code Vulnerability details Description: Contracts have owners that have privileged rights to perform admin tasks. These owners need to be trusted to not perform malicious updates or drain funds. Having a single Externally Owned Account EOA as the sole owner represents a significant...
The owner is a single point of failure and a centralization risk
Lines of code Vulnerability details Impact Having a single EOA as the only owner of contracts is a large centralization risk and a single point of failure. A single private key may be taken in a hack, or the sole holder of the key may become unable to retrieve the key when necessary. Similar...
The owner is a single point of failure and a centralization risk.
Lines of code Vulnerability details Impact & Vunerability Details. Having a single EOA as the only owner of contracts is a large centralization risk and a single point of failure, as this contract's owner can perform roles of high importance to the protocol. A single private key may be taken in a...
The owner is a single point of failure and a centralization risk (06 Instances)
Lines of code Vulnerability details Impact Having a single EOA as the only owner of contracts is a large centralization risk and a single point of failure. A single private key may be taken in a hack, or the sole holder of the key may become unable to retrieve the key when necessary. Tools Used...
IBM Security Guardium Key Lifecycle Manager Unauthorized Access Vulnerability
IBM Security Guardium Key ifecycle Manager is managing the encryption key management process through centralization, streamlining and automation to help protect encrypted data and simplify encryption key management. vulnerability. The vulnerability is due to the fact that the affected version can...
Centralization privileges could cause revenue loss or DDoS
Lines of code Vulnerability details Impact DISCLAIMER: I understand that this was under known issues M-1, and I'm submitting this on another angle which is in case owner is compromised. Namespace and Tray contract allow the owner to execute some privilege actions which give flexibility but at the...
Permit authorized callers can burn any amount of BYTES 2.0 tokens from an arbitrary address
Lines of code Vulnerability details Impact Using the burn function of BYTES 2.0, an authorized caller can burn an arbitrary amount of tokens from any address. I'm aware that it was mentioned in README.md of the project that this type of finding is out of the scope. but I believe it is still...
In the beginning its relatively easy to gain majority share
Lines of code Vulnerability details Impact As mentioned in the document, Although possible, the permissions to execute arbitrary actions or upgrade the DAO should not be given to EOAs as this poses a security risk to the organization if the account is compromised or acts adversarial. Instead, the...
Centralization Risk for trusted owners
Lines of code https://github.com/code-423n4/2023-02-ethos/blob/73687f32b934c9d697b97745356cdf8a1f264955/Ethos...
Upgraded Q -> M from #404 [1674736828553]
Judge has assessed an item in Issue 404 as M risk. The relevant finding follows: L‑06 Owner can renounce while system is paused The contract owner or single user with a role is not prevented from renouncing the role/ownership while the contract is paused, which would cause any user assets stored ...
Upgraded Q -> M from #229 [1674661320954]
Judge has assessed an item in Issue 229 as M risk. The relevant finding follows: Centralization Risk Contract: Impact: It seems the poolAdmin holds too much power including changing reward controller, rescue tokens etc. This can allow poolAdmin to impact all users by changing the config or draini...
Upgraded Q -> M from #313 [1674663275698]
Judge has assessed an item in Issue 313 as M risk. The relevant finding follows: L-07 centralization risks The owner address of PoolAddressesProvider contract has control over many dangerous functions. Such as: setAddressAsProxy, setPoolConfiguratorImpl and updatePoolImpl which are responsable fo...
Centralization risk
Lines of code Vulnerability details Impact MANAGERADMIN can set a very high value for minimumRedeemAmount which will ensure that all attempt to redeem amount simply fails Proof of Concept 1. User A wants to redeem amount 100000 using the requestRedemption function 2. Before User A can do so,...
Users have no guarantee of a minimum amount received when minting and redeeming
Lines of code Vulnerability details Impact It is a widely accepted practice in DeFi to offer users the ability to specify the least favorable exchange they are willing to accept. Since CASH tokens are not received in the same transaction it is not possible to create a wrapper that checks if they...
mintFee can be set to 100%
Lines of code Vulnerability details Impact The mintFee can be set to 100%. An amount of centralization over the usual is to be expected in a protocol that deals with RWAs and requires KYC but being able to set the fee to 100% is unnecessary, dangerous, and could harm Ondo's reputation. Proof of...
Malicious ChainLink's VRF manager can decide to not whitelist VRFNFTRandomDraw or brick ongoing raffles
Lines of code Vulnerability details Impact ChainLinks VRF manager has priviledged position, as all VRFNFTRandomDraw instances share the same VRFCoordinatorV2 address, and have to be whitelisted in order to be able to send requestRandomWords function. There is centralization risk in this case, tha...
Owner can rug PrePOMarket using re-initialized finalLongPayout.
Lines of code Vulnerability details Description In PrePOMarket.sol, the finalLongPayout represents the finalized value of a single long token in the market. It is settled post ICO / IPO according to predetermined rules. The issue is that this value may be re-initialized as many times as owner...
Upgraded Q -> M from #400 [1670236164031]
Judge has assessed an item in Issue 400 as M risk. The relevant finding follows: L04 - LiquidStakingManager.dao can rug node operators with executeAsSmartWallet daoCommissionPercentage is used to calculate the portion of node operator network rewards that are sent to dao, when a node runner is...
Upgraded Q -> M from #400 [1670236078897]
Judge has assessed an item in Issue 400 as M risk. The relevant finding follows: L03 - LiquidStakingManager.dao can rug node operators with executeAsSmartWallet 202: function executeAsSmartWallet 203: address nodeRunner, 204: address to, 205: bytes calldata data, 206: uint256 value 207: external...
Medium: DAO can drain all funds of all node runners immediately
Lines of code Vulnerability details Description The DAO can steal all funds of all node runners in the system, which means the system is heavily centralized. function executeAsSmartWallet address nodeRunner, address to, bytes calldata data, uint256 value external payable onlyDAO address smartWall...