Description:Description\
Having a single EOA as the only owner of contracts is a large centralization risk and a single point of failure. A single private key may be taken in a hack, or the sole holder of the key may become unable to retrieve the key when necessary, or the single owner can become malicious and perform a rug-pull. Consider changing to a multi-signature setup, and or having a role-based authorization model.
Proof of Concept (PoC) File
file: src/CatalystChainInterface.sol
163 function setMinGasFor(bytes32 chainIdentifier, uint48 minGas) override external onlyOwner {
175 function setMaxUnderwritingDuration(uint256 newMaxUnderwriteDuration) onlyOwner override external {
Github username: @saidqayoumsadat Twitter username: saqsadat143 Submission hash (on-chain): 0x2bf62b1934129003366ed13bf8720d10490b1108e32214242e63b929ab8b10be Severity: medium
Description: Description\ Having a single EOA as the only owner of contracts is a large centralization risk and a single point of failure. A single private key may be taken in a hack, or the sole holder of the key may become unable to retrieve the key when necessary, or the single owner can become malicious and perform a rug-pull. Consider changing to a multi-signature setup, and or having a role-based authorization model.
https://github.com/catalystdao/catalyst/blob/27b4d0a2bca177aff00def8cd745623bfbf7cb6b/evm/src/CatalystChainInterface.sol#L163C1-L163C96
https://github.com/catalystdao/catalyst/blob/27b4d0a2bca177aff00def8cd745623bfbf7cb6b/evm/src/CatalystChainInterface.sol#L249C1-L249C168
https://github.com/catalystdao/catalyst/blob/27b4d0a2bca177aff00def8cd745623bfbf7cb6b/evm/src/CatalystVaultCommon.sol#L361C1-L361C91