Handle

0xRajeev

Vulnerability details

Impact

Trusted actors who have privileged roles with capabilities to deploy contracts, change critical parameters, pause/unpause system, trigger emergency shutdown, withdraw/transfer/drain funds and allow/deny other actors should be addresses controlled by multiple, independent, mutually distrusting entities. They should not be controlled by private keys of EOAs but with Multisigs with a high threshold (e.g. 5-of-7, 9-of-11) and eventually by a DAO of token holders. EOA has a single point of failure.

The contract deployer here can start public sale, end community grant, pause market, seal contract and most importantly can mint unlimited NFTs for other addresses. These capabilities should be clearly documented for users to understand the risks.

Also, there is no functionality to change deployer if original address/key gets compromised.

Proof of Concept

https://github.com/code-423n4/2021-04-redacted/blob/2ec4ce8e98374be2048126485ad8ddacc2d36d2f/Beebots.sol#L209

https://github.com/code-423n4/2021-04-redacted/blob/2ec4ce8e98374be2048126485ad8ddacc2d36d2f/Beebots.sol#L166-L169

https://github.com/code-423n4/2021-04-redacted/blob/2ec4ce8e98374be2048126485ad8ddacc2d36d2f/Beebots.sol#L215

https://github.com/code-423n4/2021-04-redacted/blob/2ec4ce8e98374be2048126485ad8ddacc2d36d2f/Beebots.sol#L224

https://github.com/code-423n4/2021-04-redacted/blob/2ec4ce8e98374be2048126485ad8ddacc2d36d2f/Beebots.sol#L230

https://github.com/code-423n4/2021-04-redacted/blob/2ec4ce8e98374be2048126485ad8ddacc2d36d2f/Beebots.sol#L235

Tools Used

Manual Analysis

Recommended Mitigation Steps

Ensure contract deployer capabilities are documented for users. Use a multisig for deployer account and not an EOA. Add functionality to migrate deployer address using a two-step approach.

code-423n4 / 2021-04-meebits-findings