search

sherlock-audit / 2023-12-dodo-gsp-judging

6 stars 5 forks source link

bareli - centralization Risk: #136

Closed sherlock-admin closed 6 months ago

sherlock-admin commented 6 months ago

bareli

medium

centralization Risk:

Summary

centralization Risk: The contract has several functions that can only be called by the maintainer, which introduces centralization risk. If the maintainer's address is compromised, the attacker could potentially manipulate the contract.

Vulnerability Detail

modifier onlyMaintainer() { require(msg.sender == MAINTAINER, "ACCESSDENIED"); ; }

Impact

If the maintainer's address is compromised, the attacker could potentially manipulate the contract.

Code Snippet

https://github.com/sherlock-audit/2023-12-dodo-gsp/blob/main/dodo-gassaving-pool/contracts/GasSavingPool/impl/GSPVault.sol#L210 function withdrawMtFeeTotal() external nonReentrant onlyMaintainer { uint256 mtFeeQuote = _MT_FEEQUOTE; uint256 mtFeeBase = _MT_FEEBASE; _MT_FEEQUOTE = 0; _transferQuoteOut(MAINTAINER, mtFeeQuote); _MT_FEEBASE = 0; _transferBaseOut(MAINTAINER, mtFeeBase); }

Tool used

Manual Review

Recommendation

nevillehuang commented 6 months ago

Invalid, maintainers are trusted admins as mentioned in READ.ME