Open hats-bug-reporter[bot] opened 6 months ago
Compromised is a broad term. No scenario provided. This falls into centralization risk -> out of scope imo.
Hi even centralization risk is out of scope, still this bug can effect project in a long run and there wont be any way to mitigate the risk. Suppose key is compromised or Team wants to change the treasuryDao, they wont be able to transfer the ownership. in both cases.
OOS, feel free to wait for the sponsor's opinion
Github username: -- Twitter username: @sehar54312 Submission hash (on-chain): 0x9deb2b082713212688f091e20e7f19b4107b0c365f8e28c8ca363e62e6fdb497 Severity: medium
Description: Description\ The ownership of all the contracts that are the part of the scope of this audit is being assigned to treasuryDao which is controlled by cvgControlTowerV2.sol. In case of any compromise of treasuryDao address, the new treasuryDao is being set in CvgControlTowerV2.sol. But when it comes to transferring the ownership of the contract to the new treasuryDao, there is no method for that in any contract. This is a single point of failure attack. All the functions that has modifier onlyOwner will be compromised.
Attack Scenario \ Suppose treasuryDao address is compromised, the functions with onlyOwner are all at stake. Even if we change the treasuryDao address in cvgControlTowerV2.sol, still the ownership wont be transferred , we have to redeploy all the contracts.
Proof of Concept (PoC) \ In all the contracts , in initialize function the transferOwnership is being called and that function cannot be called again because of initializer modifier \ \ https://github.com/hats-finance/Convergence---Convex-integration-0xb3df23e155b74ad2b93777f58980d6727e8b40bb/blob/246e3ac71f3f2e4ab7eded0f347ad8d070410262/contracts/Staking/Convex/cvxAsset/CvxAssetStakerBuffer.sol#L85-L88 \ In compromised case, cvgControlTowerV2 can only change the treasuryDao, and it wont be able to transfer the ownership.
Revised Code File (Optional) \ treasuryDao should not rely on just one address, it should be atleast trusted 3 addresses.