Anubis - Unilateral Admin Authority with Risk of Unauthorized Transaction Execution

[sherlock-admin]

Anubis

high

Unilateral Admin Authority with Risk of Unauthorized Transaction Execution

Summary

The Timelock contract consolidates significant authority in the admin role, enabling the execution of crucial functions (queueTransaction, cancelTransaction, executeTransaction) without multi-party consensus. This design introduces a single point of failure and a potential vector for privilege escalation and unauthorized transaction execution.

Vulnerability Detail

The contract's current architecture grants the admin role exclusive control over sensitive functions, creating a centralization risk. An attacker compromising the admin's private key or the role being misused can lead to unauthorized state alterations within the system. Potential exploits include enqueuing and executing transactions that could divert funds, manipulate governance decisions, or compromise the integrity of the governed protocols.

Impact

Compromise of the admin role poses severe threats, including but not limited to:

• Unauthorized system configuration changes.
• Execution of malicious transactions leading to fund drainage.
• Seizure of control over governed protocols.
• Erosion of trust and security within the governed ecosystem.
• These risks collectively represent a substantial threat to the system's integrity, security, and user trust.

Code Snippet

https://github.com/sherlock-audit/2024-01-olympus-on-chain-governance/blob/main/bophades/src/external/governance/Timelock.sol#L108
https://github.com/sherlock-audit/2024-01-olympus-on-chain-governance/blob/main/bophades/src/external/governance/Timelock.sol#L125
https://github.com/sherlock-audit/2024-01-olympus-on-chain-governance/blob/main/bophades/src/external/governance/Timelock.sol#L140

Tool used

Manual Review

Recommendation

Mitigate the centralization risk by implementing a multi-signature or a decentralized governance model for pivotal actions. Introduce mechanisms such as timelocks or multi-step confirmations to ensure that no single party can unilaterally enact significant changes.

Code Snippet for Fix:

// Enforce multi-signature or collective approval for critical functions
modifier multiSigRequired() {
    require(isConfirmedAction(msg.sender, txHash), "MultiSigRequired: Awaiting more confirmations");
    _;
    // Reset for next operation
    resetActionConfirmation(txHash);
}

function queueTransaction(...) public multiSigRequired returns (bytes32) {
    ...
}

function cancelTransaction(...) public multiSigRequired {
    ...
}

function executeTransaction(...) public payable multiSigRequired returns (bytes memory) {
    ...
}

// Functions for managing multi-signature confirmations
function isConfirmedAction(address action, bytes32 txHash) internal view returns (bool);
function resetActionConfirmation(bytes32 txHash) internal;

By requiring multiple confirmations from distinct governance participants, the system can ensure that no single entity has unilateral control over critical actions, thereby preventing unauthorized transactions and enhancing the overall security of the system.

Duplicate of #22