search

sherlock-audit / 2024-03-zivoe-judging

8 stars 6 forks source link

BoRonGod - DAO unable to withdraw their funds due to Origin admin action #672

Closed sherlock-admin3 closed 6 months ago

sherlock-admin3 commented 6 months ago

BoRonGod

medium

DAO unable to withdraw their funds due to Origin admin action

Summary

Origin DAO/admin can ungrade the OUSD implementation, which can block OCY_OUSD from farming yield and stuck the contract.

Vulnerability Detail

Per the contest page, the admins of the protocols that Zivoe integrates with are considered "RESTRICTED". This means that any issue related to Origin admin action that could negatively affect Zivoe protocol/users will be considered valid in this audit contest.

Q: Are the admins of the protocols your contracts integrate with (if any) TRUSTED or RESTRICTED?

RESTRICTED

Currently Origin admin/DAO has the ability to upgrade OUSD implementation:

https://etherscan.io/token/0x2a8e1e676ec238d8a992307b495b45b3feaa5e86#code#L344

/**
 * @dev Upgrade the backing implementation of the proxy.
 * Only the admin can call this function.
 * @param newImplementation Address of the new implementation.
 */
function upgradeTo(address newImplementation) external onlyGovernor {
    _upgradeTo(newImplementation);
}

Such upgrade could block OCY_OUSD from doing any actions by changing some interface or adding some malicious logic.

Impact

The fund of Zivoe protocol and its users will be stuck, resulting in users being unable to withdraw their assets.

Code Snippet

https://etherscan.io/token/0x2a8e1e676ec238d8a992307b495b45b3feaa5e86#code#L344

Tool used

Manual Review

Recommendation

Ensure that the protocol team and its users are aware of the risks of such an event and develop a contingency plan to manage it.

Duplicate of #657

pseudonaut commented 6 months ago

I suppose valid, not of concern

sherlock-admin3 commented 6 months ago

1 comment(s) were left on this issue during the judging contest.

panprog commented:

invalid, even though external admins are restricted, they are not supposed to harm their own protocol, which will sure happen in such case.

RealLTDingZhen commented 6 months ago

escalate

This is a valid medium per external admin is restricted and sponsor confirms this.

Please refer to https://github.com/sherlock-audit/2024-01-napier-judging/issues/95 and https://github.com/sherlock-audit/2024-01-napier-judging/issues/108

sherlock-admin3 commented 6 months ago

escalate

This is a valid medium per external admin is restricted and sponsor confirms this.

Please refer to https://github.com/sherlock-audit/2024-01-napier-judging/issues/95 and https://github.com/sherlock-audit/2024-01-napier-judging/issues/108

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

panprog commented 6 months ago

Even if this happens, there is nothing that can be done about it, so this is purely informational issue. It won't affect the other protocol functionality since this is just a separate locker with funds locked in it.

WangSecurity commented 6 months ago

I agree with both the Lead Judge and escalating Watson, but according to README and external admins being restricted, these reports indeed should be valid. But, I believe the most fair option is to duplicate this report with other issues where external admin's actions are leading to a harm of Zivoe with Medium severity, due to extremely low likelihood.

The reports it will be duplicated with are #657, https://github.com/sherlock-audit/2024-03-zivoe-judging/issues/692 and https://github.com/sherlock-audit/2024-03-zivoe-judging/issues/697. Planning to accept the escalation and duplicate these reports.

Evert0x commented 6 months ago

Result: Medium Duplicate of #657

sherlock-admin2 commented 6 months ago

Escalations have been resolved successfully!

Escalation status: