Skip to content

Latest commit

 

History

History
62 lines (41 loc) · 2.39 KB

011.md

File metadata and controls

62 lines (41 loc) · 2.39 KB

Harsh Purple Mustang

High

Excessive Reliance on Deployer’s Private Key for Critical Roles

Summary

The reliance on the initializers private key for assigning critical roles (e.g., owner and admin) during contract initialization exposes the protocol to severe risks. If the private key is compromised, an attacker can gain full control over the protocol, leading to potential financial losses and operational disruption.

Root Cause

In initialize(), the contract assigns both the owner and admin roles to addresses without implementing any additional safeguards, such as multi-signature wallets or governance mechanisms.

function initialize(
  address owner,  // Line 10: The address of the owner
  address admin,  // Line 11: The address of the admin
  address expectedSigner,
  address signatureVerifier,
  address contractAddressManagerAddr
) external initializer {
  __accessControl_init(owner, admin, expectedSigner, signatureVerifier, contractAddressManagerAddr);
  __UUPSUpgradeable_init();
  enforceCreationAllowList = true;

  // Other initialization logic
}

This setup leaves the protocol critically dependent on the security of the private keys for these addresses.

Internal Pre-conditions

The initialize() function assigns critical roles (owner and admin) to single addresses. There are no mechanisms for multi-signature validation or decentralized governance for these roles.

External Pre-conditions

No response

Attack Path

https://github.com/sherlock-audit/2024-12-ethos-update/blob/main/ethos/packages/contracts/contracts/ReputationMarket.sol#L213 An attacker gains access to the deployer’s private key (or the key of the designated owner or admin). The attacker uses this key to execute critical actions, such as upgrading the contract or modifying key configurations. The attacker exploits this control to disrupt the protocol or drain funds.

Impact

The protocol suffers a complete loss of control and funds:

Unauthorized actions such as upgrading the contract or modifying configurations can disrupt the system. Users lose trust in the protocol, leading to reputational and financial damage.

PoC

No response

Mitigation

1.Implement Multi-Signature Wallets: Require multi-signature validation for actions performed by owner and admin roles. 2.Decentralize Role Assignment: Transition critical roles to decentralized governance mechanisms after deployment.