Very critical Owner
privileges can cause complete destruction of the project in a possible privateKey exploit
#139
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
M-04
primary issue
Highest quality submission among a set of duplicates
selected for report
This submission will be included/highlighted in the audit report
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Lines of code
https://github.com/code-423n4/2022-10-traderjoe/blob/main/src/libraries/PendingOwnable.sol#L42
Vulnerability details
Vulnerability details
Typically, the contract’s owner is the account that deploys the contract. As a result, the owner is able to perform certain privileged activities.
However, Owner privileges are numerous and there is no timelock structure in the process of using these privileges.
The Owner is assumed to be an EOA, since the documents do not provide information on whether the Owner will be a multisign structure.
In parallel with the private key thefts of the project owners, which have increased recently, this vulnerability has been stated as medium.
Similar vulnerability;
Private keys stolen:
Hackers have stolen cryptocurrency worth around €552 million from a blockchain project linked to the popular online game Axie Infinity, in one of the largest cryptocurrency heists on record. Security issue : PrivateKey of the project officer was stolen:
https://www.euronews.com/next/2022/03/30/blockchain-network-ronin-hit-by-552-million-crypto-heist
Proof of Concept
onlyOwner
powers;Recommendation;
1- A timelock contract should be added to use
onlyOwner
privileges. In this way, users can be warned in case of a possible security weakness.2-
onlyOwner
can be a Multisign wallet and this part is specified in the documentationThe text was updated successfully, but these errors were encountered: