nevillehuang
commented
10 months ago Invalid, maintainers are trusted admins as mentioned in READ.ME
Closed sherlock-admin closed 10 months ago
nevillehuang
commented
10 months ago Invalid, maintainers are trusted admins as mentioned in READ.ME
bareli
medium
centralization Risk:
Summary
centralization Risk: The contract has several functions that can only be called by the maintainer, which introduces centralization risk. If the maintainer's address is compromised, the attacker could potentially manipulate the contract.
Vulnerability Detail
modifier onlyMaintainer() { require(msg.sender == MAINTAINER, "ACCESSDENIED"); ; }
Impact
If the maintainer's address is compromised, the attacker could potentially manipulate the contract.
Code Snippet
https://github.com/sherlock-audit/2023-12-dodo-gsp/blob/main/dodo-gassaving-pool/contracts/GasSavingPool/impl/GSPVault.sol#L210 function withdrawMtFeeTotal() external nonReentrant onlyMaintainer { uint256 mtFeeQuote = _MT_FEEQUOTE; uint256 mtFeeBase = _MT_FEEBASE; _MT_FEEQUOTE = 0; _transferQuoteOut(MAINTAINER, mtFeeQuote); _MT_FEEBASE = 0; _transferBaseOut(MAINTAINER, mtFeeBase); }
Tool used
Manual Review
Recommendation