Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CKP-01 | Centralization Related Risks In Contract #151

Open
kerber0x opened this issue Feb 3, 2022 · 0 comments
Open

CKP-01 | Centralization Related Risks In Contract #151

kerber0x opened this issue Feb 3, 2022 · 0 comments
Milestone
Certik Audit Fixes

Comments

@kerber0x
Copy link
Contributor

kerber0x commented Feb 3, 2022

In the contract community-fund, the role admin has authority over the following messages:

  • Spend to transfer Whale tokens from the contract to any accounts;
  • Burn to burn Whale tokens in the contract account;
  • SetAdmin to change the admin address to a new address.

Any compromise to the admin account may allow a hacker to take advantage of this authority and
manipulate the fund in the contract account

Recommendation

The risk describes the current project design and potentially makes iterations to improve in the security
operation and level of decentralization, which in most cases cannot be resolved entirely at the present
stage. We advise the client to carefully manage the privileged account's private key to avoid any potential
risks of being hacked. In general, we strongly recommend centralized privileges or roles in the protocol be
improved via a decentralized mechanism or smart-contract-based accounts with enhanced security
practices, e.g., multi-signature wallets.

Indicatively, here are some feasible suggestions that would also mitigate the potential risk at a different
level in terms of short-term, long-term and permanent:

Short Term:

Timelock and Multi sign (⅔, ⅗) combination mitigate by delaying the sensitive operation and avoiding a
single point of key management failure.

  • Time-lock with reasonable latency, e.g., 48 hours, for awareness on privileged operations; AND
  • Assignment of privileged roles to multi-signature wallets to prevent a single point of failure due to the
    private key compromised; AND
  • A medium/blog link for sharing the timelock contract and multi-signers addresses information with
    the public audience.

Long Term:

Timelock and DAO, the combination, mitigate by applying decentralization and transparency.

  • Time-lock with reasonable latency, e.g., 48 hours, for awareness on privileged operations; AND
  • Introduction of a DAO/governance/voting module to increase transparency and user involvement; AND
  • A medium/blog link for sharing the timelock contract, multi-signers addresses, and DAO information
    with the public audience.

Permanent:

Renouncing the ownership or removing the function can be considered fully resolved.

  • Renounce the ownership and never claim back the privileged roles; OR
  • Remove the risky functionality.

Noted: Recommend considering the long-term solution or the permanent solution. The project team shall
make a decision based on the current state of their project, timeline, and project resources.
@kerber0x kerber0x added this to the Certik Audit Fixes milestone Feb 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Certik Audit Fixes
Development

No branches or pull requests
1 participant
@kerber0x