The `owner` is a single point of failure and a centralization risk
code423n4 opened this issue · 0 comments
Lines of code
56, 109, 127, 172, 219, 250, 115, 131, 154, 116, 131, 130, 151, 455, 308, 318, 324, 344, 357, 365, 446, 458, 471, 479, 259, 276, 297, 326, 53, 140, 152, 160, 256, 263, 281, 291, 317, 339, 362, 381, 395, 414, 424, 455, 464, 142, 151, 158, 442, 466, 477, 489, 576, 88, 96, 105, 125, 134, 61, 122, 129, 209, 109, 120, 89, 100, 148, 163, 170, 179, 134, 141, 150, 199, 125, 132, 141, 182, 104, 113, 93, 104, 142, 149, 193, 90, 101
Vulnerability details
Having a single EOA as the only owner of contracts is a large centralization risk and a single point of failure. A single private key may be taken in a hack, or the sole holder of the key may become unable to retrieve the key when necessary, or the single owner can become malicious and perform a rug-pull. Consider changing to a multi-signature setup, and or having a role-based authorization model.
File: contracts/NativeTokenFactory.sol
56: function transferOwnership(uint256 tokenId, address newOwner, bool direct, bool renounce) public onlyOwner(tokenId) {
109: function mint(uint256 tokenId, address to, uint256 amount) public onlyOwner(tokenId) {
127: function batchMint(uint256 tokenId, address[] calldata tos, uint256[] calldata amounts) public onlyOwner(tokenId) {
File: contracts/Balancer.sol
172 function rebalance(
173 address payable _srcOft,
174 uint16 _dstChainId,
175 uint256 _slippage,
176 uint256 _amount,
177 bytes memory _ercData
178 )
179 external
180 payable
181 onlyOwner
182 onlyValidDestination(_srcOft, _dstChainId)
183 onlyValidSlippage(_slippage)
184: {
219 function initConnectedOFT(
220 address _srcOft,
221 uint16 _dstChainId,
222 address _dstOft,
223 bytes memory _ercData
224: ) external onlyOwner {
250 function addRebalanceAmount(
251 address _srcOft,
252 uint16 _dstChainId,
253 uint256 _amount
254: ) external onlyValidDestination(_srcOft, _dstChainId) onlyOwner {
File: contracts/TapiocaWrapper.sol
115 function executeTOFT(
116 address _toft,
117 bytes calldata _bytecode,
118 bool _revertOnFailure
119: ) external payable onlyOwner returns (bool success, bytes memory result) {
131 function executeCalls(
132 ExecutionCall[] calldata _call
133 )
134 external
135 payable
136 onlyOwner
137 returns (bool success, bytes[] memory results)
138: {
154 function createTOFT(
155 address _erc20,
156 bytes calldata _bytecode,
157 bytes32 _salt,
158 bool _linked
159: ) external onlyOwner {
File: contracts/tOFT/mTapiocaOFT.sol
116 function updateConnectedChain(
117 uint256 _chain,
118 bool _status
119: ) external onlyOwner {
131 function updateBalancerState(
132 address _balancer,
133 bool _status
134: ) external onlyOwner {
File: contracts/Vesting.sol
130: function registerUser(address _user, uint256 _amount) external onlyOwner {
151: function init(IERC20 _token, uint256 _seededAmount) external onlyOwner {
File: contracts/governance/twTAP.sol
455: function addRewardToken(IERC20 token) external onlyOwner returns (uint256) {
File: contracts/option-airdrop/AirdropBroker.sol
308 function setTapOracle(
309 IOracle _tapOracle,
310 bytes calldata _tapOracleData
311: ) external onlyOwner {
318 function setPhase2MerkleRoots(
319 bytes32[4] calldata _merkleRoots
320: ) external onlyOwner {
324 function registerUserForPhase(
325 uint256 _phase,
326 address[] calldata _users,
327 uint256[] calldata _amounts
328: ) external onlyOwner {
344 function setPaymentToken(
345 ERC20 _paymentToken,
346 IOracle _oracle,
347 bytes calldata _oracleData
348: ) external onlyOwner {
357 function setPaymentTokenBeneficiary(
358 address _paymentTokenBeneficiary
359: ) external onlyOwner {
365 function collectPaymentTokens(
366 address[] calldata _paymentTokens
367: ) external onlyOwner {
File: contracts/options/TapiocaOptionBroker.sol
446 function setTapOracle(
447 IOracle _tapOracle,
448 bytes calldata _tapOracleData
449: ) external onlyOwner {
458 function setPaymentToken(
459 ERC20 _paymentToken,
460 IOracle _oracle,
461 bytes calldata _oracleData
462: ) external onlyOwner {
471 function setPaymentTokenBeneficiary(
472 address _paymentTokenBeneficiary
473: ) external onlyOwner {
479 function collectPaymentTokens(
480 address[] calldata _paymentTokens
481: ) external onlyOwner {
File: contracts/options/TapiocaOptionLiquidityProvision.sol
259 function setSGLPoolWEight(
260 IERC20 singularity,
261 uint256 weight
262: ) external onlyOwner updateTotalSGLPoolWeights {
276 function registerSingularity(
277 IERC20 singularity,
278 uint256 assetID,
279 uint256 weight
280: ) external onlyOwner updateTotalSGLPoolWeights {
297 function unregisterSingularity(
298 IERC20 singularity
299: ) external onlyOwner updateTotalSGLPoolWeights {
File: contracts/tokens/BaseTapOFT.sol
326: function setTwTap(address _twTap) external onlyOwner {
File: contracts/tokens/LTap.sol
53: function setLockedUntil(uint256 _lockedUntil) external onlyOwner {
File: contracts/tokens/TapOFT.sol
140 function setGovernanceChainIdentifier(
141 uint256 _identifier
142: ) external onlyOwner {
152: function updatePause(bool val) external onlyOwner {
160: function setMinter(address _minter) external onlyOwner {
File: contracts/Penrose.sol
256: function setBigBangEthMarketDebtRate(uint256 _rate) external onlyOwner {
263: function setBigBangEthMarket(address _market) external onlyOwner {
281: function setConservator(address _conservator) external onlyOwner {
291: function setUsdoToken(address _usdoToken) external onlyOwner {
317 function registerSingularityMasterContract(
318 address mcAddress,
319 IPenrose.ContractType contractType_
320: ) external onlyOwner {
339 function registerBigBangMasterContract(
340 address mcAddress,
341 IPenrose.ContractType contractType_
342: ) external onlyOwner {
362 function registerSingularity(
363 address mc,
364 bytes calldata data,
365 bool useCreate2
366 )
367 external
368 payable
369 onlyOwner
370 registeredSingularityMasterContract(mc)
371 returns (address _contract)
372: {
381 function addSingularity(
382 address mc,
383 address _contract
384: ) external onlyOwner registeredSingularityMasterContract(mc) {
395 function registerBigBang(
396 address mc,
397 bytes calldata data,
398 bool useCreate2
399 )
400 external
401 payable
402 onlyOwner
403 registeredBigBangMasterContract(mc)
404 returns (address _contract)
405: {
414 function addBigBang(
415 address mc,
416 address _contract
417: ) external onlyOwner registeredBigBangMasterContract(mc) {
424 function executeMarketFn(
425 address[] calldata mc,
426 bytes[] memory data,
427 bool forceSuccess
428 )
429 external
430 onlyOwner
431 notPaused
432 returns (bool[] memory success, bytes[] memory result)
433: {
455: function setFeeTo(address feeTo_) external onlyOwner {
464: function setSwapper(ISwapper swapper, bool enable) external onlyOwner {
File: contracts/markets/Market.sol
142: function setBorrowOpeningFee(uint256 _val) external onlyOwner {
151: function setBorrowCap(uint256 _cap) external notPaused onlyOwner {
158 function setMarketConfig(
159 uint256 _borrowOpeningFee,
160 IOracle _oracle,
161 bytes calldata _oracleData,
162 address _conservator,
163 uint256 _callerFee,
164 uint256 _protocolFee,
165 uint256 _liquidationBonusAmount,
166 uint256 _minLiquidatorReward,
167 uint256 _maxLiquidatorReward,
168 uint256 _totalBorrowCap,
169 uint256 _collateralizationRate
170: ) external onlyOwner {
File: contracts/markets/bigBang/BigBang.sol
442 function refreshPenroseFees(
443 address
444: ) external onlyOwner notPaused returns (uint256 feeShares) {
466 function setBigBangConfig(
467 uint256 _minDebtRate,
468 uint256 _maxDebtRate,
469 uint256 _debtRateAgainstEthMarket,
470 uint256 _liquidationMultiplier
471: ) external onlyOwner {
File: contracts/markets/singularity/Singularity.sol
477 function refreshPenroseFees(
478 address feeTo
479: ) external onlyOwner notPaused returns (uint256 feeShares) {
489 function setSingularityConfig(
490 uint256 _lqCollateralizationRate,
491 uint256 _liquidationMultiplier,
492 uint256 _minimumTargetUtilization,
493 uint256 _maximumTargetUtilization,
494 uint64 _minimumInterestPerSecond,
495 uint64 _maximumInterestPerSecond,
496 uint256 _interestElasticity
497: ) external onlyOwner {
576 function setLiquidationQueueConfig(
577 ILiquidationQueue _liquidationQueue,
578 address _bidExecutionSwapper,
579 address _usdoSwapper
580: ) external onlyOwner {
File: contracts/usd0/BaseUSDO.sol
88: function setMaxFlashMintable(uint256 _val) external onlyOwner {
96: function setFlashMintFee(uint256 _val) external onlyOwner {
105: function setConservator(address _conservator) external onlyOwner {
125: function setMinterStatus(address _for, bool _status) external onlyOwner {
134: function setBurnerStatus(address _for, bool _status) external onlyOwner {
File: contracts/Swapper/UniswapV3Swapper.sol
61: function setPoolFee(uint24 _newFee) external onlyOwner {
File: contracts/aave/AaveStrategy.sol
122: function setDepositThreshold(uint256 amount) external onlyOwner {
129: function setMultiSwapper(address _swapper) external onlyOwner {
209: function emergencyWithdraw() external onlyOwner returns (uint256 result) {
File: contracts/balancer/BalancerStrategy.sol
109: function setDepositThreshold(uint256 amount) external onlyOwner {
120: function emergencyWithdraw() external onlyOwner returns (uint256 result) {
File: contracts/compound/CompoundStrategy.sol
89: function setDepositThreshold(uint256 amount) external onlyOwner {
100: function emergencyWithdraw() external onlyOwner returns (uint256 result) {
File: contracts/convex/ConvexTricryptoStrategy.sol
148: function emergencyWithdraw() external onlyOwner returns (uint256 result) {
163: function setDepositThreshold(uint256 amount) external onlyOwner {
170: function setMultiSwapper(address _swapper) external onlyOwner {
179: function setTricryptoLPGetter(address _lpGetter) external onlyOwner {
File: contracts/curve/TricryptoLPStrategy.sol
134: function setDepositThreshold(uint256 amount) external onlyOwner {
141: function setMultiSwapper(address _swapper) external onlyOwner {
150: function setTricryptoLPGetter(address _lpGetter) external onlyOwner {
199: function emergencyWithdraw() external onlyOwner returns (uint256 result) {
File: contracts/curve/TricryptoNativeStrategy.sol
125: function setDepositThreshold(uint256 amount) external onlyOwner {
132: function setMultiSwapper(address _swapper) external onlyOwner {
141: function setTricryptoLPGetter(address _lpGetter) external onlyOwner {
182: function emergencyWithdraw() external onlyOwner returns (uint256 result) {
File: contracts/glp/GlpStrategy.sol
104: function harvestGmx(uint256 priceNum, uint256 priceDenom) public onlyOwner {
113: function setFeeRecipient(address recipient) external onlyOwner {
File: contracts/lido/LidoEthStrategy.sol
93: function setDepositThreshold(uint256 amount) external onlyOwner {
104: function emergencyWithdraw() external onlyOwner returns (uint256 result) {
File: contracts/stargate/StargateStrategy.sol
142: function setDepositThreshold(uint256 amount) external onlyOwner {
149: function setMultiSwapper(address _swapper) external onlyOwner {
193: function emergencyWithdraw() external onlyOwner returns (uint256 result) {
File: contracts/yearn/YearnStrategy.sol
90: function setDepositThreshold(uint256 amount) external onlyOwner {
101: function emergencyWithdraw() external onlyOwner returns (uint256 result) {
Assessed type
other