Centralization Risk On The Withdraw Operation

[code423n4]

Lines of code

https://github.com/code-423n4/2022-06-illuminate/blob/main/lender/Lender.sol#L708

Vulnerability details

Impact

During the code review, It has been observed that admin can withdraw all tokens from the system.

Proof of Concept

1. Navigate to the following contract : https://github.com/code-423n4/2022-06-illuminate/blob/main/lender/Lender.sol#L708

Tools Used

Code Review

Recommended Mitigation Steps

We advise the client to carefully manage the admin account private key to avoid any potential risks of being hacked. In general, we strongly recommend centralized privileges or roles in the protocol to be improved via a decentralized mechanism or smart-contract-based accounts with enhanced security practices, e.g., Multisignature wallets.

• Define maximum total supply.
• Indicatively, here is some feasible suggestions that would also mitigate the potential risk at the different level in term of short-term and long-term goal:
• Time-lock with reasonable latency, e.g. 48 hours, for awareness on privileged operations; Assignment of privileged roles to multi-signature wallets to prevent a single point of failure due to the private key;
• Introduction of a DAO/governance/voting module to increase transparency and user involvement.

[JTraversa]

Thankfully we've implemented pretty much all of that!

On the method the warden points out, there is a 72 hr timelock, that sits behind a multisig which is/will be governed by a DAO.