Skip to content

Instantly share code, notes, and snippets.

@GalloDaSballo

GalloDaSballo/AdminPrivilege - 2021.MD

Created October 24, 2022 22:34
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save GalloDaSballo/881e7a45ac14481519fb88f34fdb8837 to your computer and use it in GitHub Desktop.
Save GalloDaSballo/881e7a45ac14481519fb88f34fdb8837 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
AdminPrivilege - 2021.MD

If you'd like to contribute to the historical context, feel free to scout reports from Vader and Yeti upwards at https://code4rena.com/reports/

LivePeer - Leastwood code-423n4/2022-01-livepeer-findings#165

code-423n4/2022-01-livepeer-findings#195

Tracer - cemozerr code-423n4/2021-06-tracer-findings#66

RealityCards - dmtv Owner self-bricking code-423n4/2021-06-realitycards-findings#31

Yield - dmtv code-423n4/2021-05-yield-findings#44

Connext - ghoul.sol Malicious Router (not exactly admin but trusted third party) code-423n4/2021-07-connext-findings#12

Spartan Protocol - ghoul.sol

Passing Malicious Data to Dao to rug it Sent by hickuphh3 (Judge at C4) code-423n4/2021-07-spartan-findings#43

Sherlock - ghoul.sol Sent by Gpersoon - Respected Whitehat and part of WSG code-423n4/2021-07-sherlock-findings#4

bveCVX - Ghoul.sol Malicious CVX Admin can rug bveCVX strategy Mitigated by both protocols Badger: To protect the strat CVX: To offer stronger security guarantees

code-423n4/2021-09-bvecvx-findings#51

Althea Gravity Bridge - Albert Chon Validator can self grief and brick the system code-423n4/2021-08-gravitybridge-findings#51

Kuiper 1 - Alex The Entreprenerd code-423n4/2021-09-defiprotocol-findings#192 code-423n4/2021-09-defiprotocol-findings#265

Swivel - 0xean code-423n4/2021-09-swivel-findings#95

Arguably different, but ultimately it’s the admin the only one that can “mess it up” code-423n4/2021-09-swivel-findings#97

YAxis- Alex The Entreprenerd

Malicious Strategies https://code4rena.com/reports/2021-09-yaxis/#m-13-managerallowedvaults-check-missing-for-addremove-strategy https://code4rena.com/reports/2021-09-yaxis/#m-14-halting-the-protocol-should-be-onlygovernance-and-notonlystrategist

Vader 2 - Alcueca Example of Governor going wrong as Med code-423n4/2021-11-vader-findings#167 Loss of vetoer as vulnerability (Arguably sneaked as High vs Med) code-423n4/2021-11-vader-findings#186

Lack of Check could lead to issue which is reliant on third party code-423n4/2021-11-vader-findings#256

Dos caused by Owner code-423n4/2021-11-vader-findings#8

Example of Owner stopping to service the tech causes DOS, hence Med code-423n4/2021-11-vader-findings#20

Nested Finance - Alcueca Unset value by owner code-423n4/2021-11-nested-findings#82

Malicious setting by owner code-423n4/2021-11-nested-findings#231

Overlay - dmtv

Not exactly full Admin but contingent on Admin Action code-423n4/2021-11-overlay-findings#55

Unlock Protocol - Leastwood code-423n4/2021-11-unlock-findings#50

Malt Protocol - Alex The Entreprenerd code-423n4/2021-11-malt-findings#285

code-423n4/2021-11-malt-findings#124

Mellow - Leastwood code-423n4/2021-12-mellow-findings#49

DefiProtocol - Leastwood code-423n4/2021-12-defiprotocol-findings#145

NFTX - LSDan Pedroais Submitted code-423n4/2021-12-nftx-findings#213

Perennial - Alex The Entreprenerd code-423n4/2021-12-perennial-findings#63

Notable Instances

I always would like to point out to specific instances of reports in which Downplaying the severity has lead to user funds being lost, which to my understanding has happened with Wild Protocol

Admin Privilege finding downplayed and dowgraded to low (Owner will use these privileges to skim x% of all users token to repay for the debt) code-423n4/2021-07-wildcredit-findings#85

Specific cause of the bug code-423n4/2021-07-wildcredit-findings#115

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment