Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A single point of failure is not acceptable for this project #248

Closed
code423n4 opened this issue Oct 30, 2022 · 4 comments
Closed

A single point of failure is not acceptable for this project #248

code423n4 opened this issue Oct 30, 2022 · 4 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-269 satisfactory satisfies C4 submission criteria; eligible for awards sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L18

Vulnerability details

Impact

The pause() function on WardenPledge.sol has a single point of failure and onlyOwner can stop all project.

Owner is not behind a multisig and changes are not behind a timelock.(This information hasnt got in documents)

Even if protocol admins/developers are not malicious there is still a chance for admin keys to be stolen.

   function pause() external onlyOwner {
        _pause();
    }

In addition, when we add other onlyOwner privileges, the single point of failure situation becomes stronger;

onlyOwner   |   Functions
========================
onlyOwner  =>  addMultipleRewardToken(address[],uint256[])
onlyOwner  =>  addRewardToken(address,uint256)
onlyOwner  =>  updateRewardToken(address,uint256)
onlyOwner  =>  removeRewardToken(address)
onlyOwner  =>  updateChest(address)
onlyOwner  =>  updateMinTargetVotes(uint256)
onlyOwner  =>  updatePlatformFee(uint256)
onlyOwner  =>  pause()
onlyOwner  =>  unpause()
onlyOwner  =>  recoverERC20(address)

See this example where a similar finding has been flagged as a high-severity issue:
realitycards-findings

Recommended Mitigation Steps

Isolate functionu and other lightweight onlyOwner functions such as pause() that are very powerful and will affect the project

Add a time lock to critical functions like pause()

Admin-only functions that change critical parameters should emit events and have timelocks. Events allow capturing the changed parameters so that off-chain tools/interfaces can register such changes with timelocks that allow users to evaluate them and consider if they would like to engage/exit based on how they perceive the changes as affecting the trustworthiness of the protocol or profitability of the implemented financial services.

Allow only multi-signature wallets to call the function to reduce the likelihood of an attack.

https://twitter.com/danielvf/status/1572963475101556738?s=20&t=V1kvzfJlsx-D2hfnG0OmuQ
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Oct 30, 2022
code423n4 added a commit that referenced this issue Oct 30, 2022
@code423n4
0xSmartContract issue #248
1eb6b20
@Kogaroshi Kogaroshi added the sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons label Oct 30, 2022
@Kogaroshi
Copy link

This design where 1 address has the onlyOwner controlled by 1 address is by choice, so that Owner can be the Paladin Core Multisig, allowing to react quickly and prevent any loss of funds or exploit in the early months after deploy. This is to be later on moved to give the control to a Timelock once the Paladin governance moves on-chain.
And all admin functions do emit Event (either from the WardenPledge code, or from the inherited code)

@c4-judge
Copy link
Contributor

kirk-baird marked the issue as duplicate of #70

@c4-judge
Copy link
Contributor

c4-judge commented Dec 4, 2022

kirk-baird marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Dec 4, 2022
@c4-judge
Copy link
Contributor

c4-judge commented Dec 6, 2022

Simon-Busch marked the issue as duplicate of #269

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-269 satisfactory satisfies C4 submission criteria; eligible for awards sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Kogaroshi @code423n4 @c4-judge