-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
An admin can rug pull by changing contract addresses #40
Comments
Acknowledging. System heavily relies on the admins to do the right thing, the right way. It's a design choice. Moreover, the governance contract (already voted and created by the DAO) is controlled by reputed members from the ecosystem. Would classify this as 0 (Informational). |
@JasoonS lets go through and settle on this one. Further thinking of downgrading to low/informational. Simply the presence of upgradeable smart contracts means everything here plus more is obviously possible by admin. At the early stage of system development, this is a design choice often taken while many changes still need to likely occur to the system. It is true that timelocks and admin multisigs and other precautions can be put in place. Sounds like the admin is a multisig anyways. |
Judging all "admin keys can rug or set funny values" as low severity. This is less helpful for the sponsor |
Grouping with warden's QA Report #32 |
Lines of code
https://github.com/code-423n4/2022-02-hubble/blob/ed1d885d5dbc2eae24e43c3ecbf291a0f5a52765/contracts/AMM.sol#L730-L734
https://github.com/code-423n4/2022-02-hubble/blob/ed1d885d5dbc2eae24e43c3ecbf291a0f5a52765/contracts/InsuranceFund.sol#L116-L119
Vulnerability details
Impact
By implementing malicious versions of the interfaces required by an
IRegistry
, the single-sig governor admin address can rug pull funds.Even if the governor is benevolent the fact that there is a rug vector available may negatively impact the protocol's reputation. In addition the single private key may be taken in a hack. See this example where a similar finding has been flagged as a high-severity issue.
Proof of Concept
By silently changing the
oracle
of eachAMM
...https://github.com/code-423n4/2022-02-hubble/blob/ed1d885d5dbc2eae24e43c3ecbf291a0f5a52765/contracts/AMM.sol#L730-L734
...the
oracle.getUnderlyingTwapPrice()
can be made to return a value favorable to the attacker in all calls tosettleFunding()
, draining fundshttps://github.com/code-423n4/2022-02-hubble/blob/ed1d885d5dbc2eae24e43c3ecbf291a0f5a52765/contracts/AMM.sol#L387-L389
By silently changing the
marginAccount
of theInsuranceFund
...https://github.com/code-423n4/2022-02-hubble/blob/ed1d885d5dbc2eae24e43c3ecbf291a0f5a52765/contracts/InsuranceFund.sol#L116-L119
...the
marginAccount
can be made to receive all pending obligation fundshttps://github.com/code-423n4/2022-02-hubble/blob/ed1d885d5dbc2eae24e43c3ecbf291a0f5a52765/contracts/InsuranceFund.sol#L77-L85
The provided deployment script only uses a signer rather than a contract as the governance address. Furthermore, the live environment deployed on testnet has a deployed
InsuranceFund
which uses theonlyGovernance
modifier...https://github.com/code-423n4/2022-02-hubble/blob/ed1d885d5dbc2eae24e43c3ecbf291a0f5a52765/contracts/InsuranceFund.sol#L116-L119
...and the only transaction interacting with this function appears here and is called by an address, not a contract. There are no other transactions to the insurance fund to change the governance address, so it's clear that the testnet does not use a multisig either.
Tools Used
Code inspection
Hardhat
snowtrace.io
Recommended Mitigation Steps
Use a multisig and disable the ability to change contract addresses
The text was updated successfully, but these errors were encountered: