-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Very critical Owner
privileges can cause complete destruction of the project in a possible privateKey exploit
#139
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
M-04
primary issue
Highest quality submission among a set of duplicates
selected for report
This submission will be included/highlighted in the audit report
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Comments
code423n4
added
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
labels
Oct 18, 2022
0x0Louis
added
the
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
label
Oct 29, 2022
The owner will be our multisig |
Per the rulebook will bulk all Admin Privilege findings under this one. Most notably the main issue was the lack of validation on the flashloan fee, which this issue acts as an umbrella for |
GalloDaSballo marked the issue as primary issue |
c4-judge
added
the
primary issue
Highest quality submission among a set of duplicates
label
Nov 13, 2022
This was referenced Nov 13, 2022
GalloDaSballo marked the issue as selected for report |
c4-judge
added
the
selected for report
This submission will be included/highlighted in the audit report
label
Nov 16, 2022
This was referenced Nov 16, 2022
This was referenced Nov 23, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
M-04
primary issue
Highest quality submission among a set of duplicates
selected for report
This submission will be included/highlighted in the audit report
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Lines of code
https://github.com/code-423n4/2022-10-traderjoe/blob/main/src/libraries/PendingOwnable.sol#L42
Vulnerability details
Vulnerability details
Typically, the contract’s owner is the account that deploys the contract. As a result, the owner is able to perform certain privileged activities.
However, Owner privileges are numerous and there is no timelock structure in the process of using these privileges.
The Owner is assumed to be an EOA, since the documents do not provide information on whether the Owner will be a multisign structure.
In parallel with the private key thefts of the project owners, which have increased recently, this vulnerability has been stated as medium.
Similar vulnerability;
Private keys stolen:
Hackers have stolen cryptocurrency worth around €552 million from a blockchain project linked to the popular online game Axie Infinity, in one of the largest cryptocurrency heists on record. Security issue : PrivateKey of the project officer was stolen:
https://www.euronews.com/next/2022/03/30/blockchain-network-ronin-hit-by-552-million-crypto-heist
Proof of Concept
onlyOwner
powers;Recommendation;
1- A timelock contract should be added to use
onlyOwner
privileges. In this way, users can be warned in case of a possible security weakness.2-
onlyOwner
can be a Multisign wallet and this part is specified in the documentationThe text was updated successfully, but these errors were encountered: