Comptroller Admin Can Update Certain Parameters Causing Unintended Protocol Behaviour

[code423n4]

Lines of code

https://github.com/bunkerfinance/bunker-protocol/blob/752126094691e7457d08fc62a6a5006df59bd2fe/contracts/Comptroller.sol

Vulnerability details

Impact

The deployer of the Comptroller.sol contract acts as the admin and has access to setting certain protocol parameters. Because of this, the contract admin can do the following:

• Insert a malicious oracle by calling _setPriceOracle() and _setNftPriceOracle(). This can be used to artificially manipulate the price of NFTs and other assets.
• _setCollateralFactor() and _setNftCollateralFactor() can be called to cause a large scale liquidation event, effectively wiping the protocol of its capital.
• Pause the contract and refuse to permit execution of any sensitive function. This can prevent user redemptions, locking all tokens indefinitely.

Recommended Mitigation Steps

Ensure the admin is restricted to held behind a timelock and not a multisig (managed by the team) as stated by the sponsor. Ideally, a governance token would provide the best security.

[bunkerfinance-dev]

We don't find any sort of "admin can rug" type of issue as high severity; in the future we will replace the admin with a timelock and/or governance.