We advise the client to carefully manage the admin account private key to avoid any potential risks
of being hacked. In general, we strongly recommend centralized privileges or roles in the protocol to be
improved via a decentralized mechanism or smart-contract-based accounts with enhanced security
practices, e.g., Multisignature wallets.
Define maximum total supply.
Indicatively, here is some feasible suggestions that would also mitigate the potential risk at the different
level in term of short-term and long-term goal:
Time-lock with reasonable latency, e.g. 48 hours, for awareness on privileged operations;
Assignment of privileged roles to multi-signature wallets to prevent a single point of failure due to the
private key;
Introduction of a DAO/governance/voting module to increase transparency and user involvement.
Lines of code
https://github.com/code-423n4/2022-06-illuminate/blob/main/lender/Lender.sol#L708
Vulnerability details
Impact
During the code review, It has been observed that admin can withdraw all tokens from the system.
Proof of Concept
Tools Used
Code Review
Recommended Mitigation Steps
We advise the client to carefully manage the admin account private key to avoid any potential risks of being hacked. In general, we strongly recommend centralized privileges or roles in the protocol to be improved via a decentralized mechanism or smart-contract-based accounts with enhanced security practices, e.g., Multisignature wallets.