The deployer of the Comptroller.sol contract acts as the admin and has access to setting certain protocol parameters. Because of this, the contract admin can do the following:
Insert a malicious oracle by calling _setPriceOracle() and _setNftPriceOracle(). This can be used to artificially manipulate the price of NFTs and other assets.
_setCollateralFactor() and _setNftCollateralFactor() can be called to cause a large scale liquidation event, effectively wiping the protocol of its capital.
Pause the contract and refuse to permit execution of any sensitive function. This can prevent user redemptions, locking all tokens indefinitely.
Recommended Mitigation Steps
Ensure the admin is restricted to held behind a timelock and not a multisig (managed by the team) as stated by the sponsor. Ideally, a governance token would provide the best security.
Lines of code
https://github.com/bunkerfinance/bunker-protocol/blob/752126094691e7457d08fc62a6a5006df59bd2fe/contracts/Comptroller.sol
Vulnerability details
Impact
The deployer of the
Comptroller.sol
contract acts as the admin and has access to setting certain protocol parameters. Because of this, the contract admin can do the following:_setPriceOracle()
and_setNftPriceOracle()
. This can be used to artificially manipulate the price of NFTs and other assets._setCollateralFactor()
and_setNftCollateralFactor()
can be called to cause a large scale liquidation event, effectively wiping the protocol of its capital.Recommended Mitigation Steps
Ensure the admin is restricted to held behind a timelock and not a multisig (managed by the team) as stated by the sponsor. Ideally, a governance token would provide the best security.