Massive Crimson Cougar
High
Ownership control can lead to asset mismanagement or malicious exploitation if compromised consider multi ownership
Impact: Ownership control can lead to asset mismanagement or malicious exploitation if compromised.
Proof of Concept (PoC): An attacker who gains access to the owner's private key can execute emergency functions such as emergencyTokenTransfer or emergencyEtherTransfer to drain assets from the contract.
Affected Functions:
-
emergencyTokenTransfer(address token, address to, uint256 amount) https://github.com/sherlock-audit/2025-01-aave-v3-3/blob/main/aave-v3-origin/src/contracts/helpers/WrappedTokenGatewayV3.sol#L164-L166
-
emergencyEtherTransfer(address to, uint256 amount) https://github.com/sherlock-audit/2025-01-aave-v3-3/blob/main/aave-v3-origin/src/contracts/helpers/WrappedTokenGatewayV3.sol#L174-L176
The WrappedTokenGatewayV3 contract assigns privileged roles to the owner, allowing it to perform critical operations, such as:
- Recovering ERC20 tokens mistakenly sent to the contract (emergencyTokenTransfer).
- Withdrawing native Ether (emergencyEtherTransfer).
While these functions are necessary for emergency asset recovery, their misuse (e.g., due to compromised owner credentials) can lead to catastrophic losses. The privileges allow the owner to arbitrarily transfer assets, creating a single point of failure.
A malicious or compromised owner can:
- Drain ERC20 tokens or native ETH from the contract.
- Disrupt user confidence in the system, affecting its overall utility and reputation.
- Suppose an attacker gains control over the owner's private key.
- The attacker calls the following function to drain Ether from the contract:
emergencyEtherTransfer(attackerAddress, contractBalance); - The attacker also drains ERC20 tokens by calling:
emergencyTokenTransfer(tokenAddress, attackerAddress, tokenBalance);
-
Multisignature Wallet:
Replace the single-owner model with a multisignature wallet (e.g., Gnosis Safe). This requires multiple authorized accounts to approve sensitive transactions, reducing the risk of a single point of failure. -
Time-Locked Operations:
Introduce a time-lock mechanism for emergency functions. Transactions must wait a predefined period before execution, allowing users to monitor and act if a malicious transaction is queued. -
Access Control Audits:
Implement additional checks to restrict the usage of emergency functions. For instance:- Limit asset recovery functions to trusted addresses or contracts only.
- Add role-based access controls for enhanced privilege segregation.
-
Event Emissions:
Emit detailed events for all privileged function calls, enabling off-chain monitoring for anomalies. -
Ownership Transfer:
Provide a mechanism to transfer ownership in case of a compromise or allow a DAO to govern the contract to align it with decentralized principles.
Replace Ownable with a contract compatible with multisig (e.g., OpenZeppelin's AccessControl):
import {AccessControl} from '@openzeppelin/contracts/access/AccessControl.sol';
contract WrappedTokenGatewayV3 is AccessControl {
bytes32 public constant OWNER_ROLE = keccak256("OWNER_ROLE");
constructor(address[] memory owners) {
for (uint256 i = 0; i < owners.length; i++) {
_setupRole(OWNER_ROLE, owners[i]);
}
_setRoleAdmin(OWNER_ROLE, OWNER_ROLE);
}
function emergencyEtherTransfer(address to, uint256 amount) external {
require(hasRole(OWNER_ROLE, msg.sender), "Caller is not an owner");
_safeTransferETH(to, amount);
}
}Introduce a delay for sensitive functions:
contract TimeLock {
uint256 public constant TIMELOCK_DURATION = 24 hours;
mapping(bytes32 => uint256) public queuedTransactions;
function queueTransaction(bytes32 txHash) public {
require(queuedTransactions[txHash] == 0, "Transaction already queued");
queuedTransactions[txHash] = block.timestamp + TIMELOCK_DURATION;
}
function executeTransaction(bytes32 txHash) public {
require(queuedTransactions[txHash] > 0, "Transaction not queued");
require(block.timestamp >= queuedTransactions[txHash], "Transaction time lock not expired");
delete queuedTransactions[txHash];
// Execute transaction logic...
}
}By adopting these mitigations, the WrappedTokenGatewayV3 contract can significantly enhance the security of its emergency functions, safeguarding against ownership abuse or compromise.