3.5 Trust Issue of Admin Keys

  • ID: PVE-005

  • Severity: Medium

  • Likelihood: Medium

  • Impact: Medium

  • Target: TGTStaking

  • Category: Security Features []

  • CWE subcategory: CWE-287 []

Description

In the Pop protocol, there is a privileged account, i.e., owner, which plays a critical role in governing and regulating the protocol-wide operations (e.g., parameter setting and role assignment). It also has the privilege to affect the flow of assets managed by this protocol. Our analysis shows that the privileged account needs to be scrutinized. In the following, we examine the privileged account and their related privileged accesses in current contracts.

// Authorises a controller , who can register and renew domains .
function add Controller ( address controller ) external override only Owner { controllers [ controller ] = true ;
emit Controller Added ( controller );
}

// Revoke controller permission for an address .
function remove Controller ( address controller ) external override only Owner { controllers [ controller ] = false ;
emit Controller Removed ( controller );
}

// Set the resolver for the TLD this registrar manages .
function set Resolver ( address resolver ) external override only Owner { pns . set Resolver ( baseNode , resolver );
}

If the privileged admins are managed by a plain EOA account, this may be worrisome and pose counter-party risk to the exchange users. A multi-sig account could greatly alleviate this concern, though it is still far from perfect. Specifically, a better approach is to eliminate the administration key concern by transferring the role to a community-governed DAO. In the meantime, a timelock-based mechanism can also be considered as mitigation.

Moreover, it should be noted that current contracts have the support of being deployed behind a proxy. And there is a need to properly manage the proxy-admin privileges as they fall in this trust issue as well.

Recommendation

Promptly transfer the privileged account to the intended DAO-like governance contract. All changed to privileged operations may need to be mediated with necessary timelocks. Eventually, activate the normal on-chain community-based governance life-cycle and ensure the in- tended trustless nature and high-quality distributed governance.

Status

This issue has been resolved as the owner will be managed by a multi-sig account.

Previous3.4 Improved Precision in TokenSaleDistributor::_vested()Next3.6 Improper Fund Return in PopMarket::withdrawRejectBid()

Last updated