Description

In oracle contracts such as MasterPriceOracle, the contract's admin has central authority over functions such as setDefaultOracle. Likewise in FusePoolDirectory, the admin has full control over the deployer whitelist.

Impact

In case of a private key compromise, an attacker could change the defaultOracle to one which will report a favorable price, sandwiching their swap transaction between two calls to setDefaultOracle - the first to set a favorable oracle and the second to return the oracle to the benign default oracle. Similarly, an attacker would be able to whitelist malicious deployer addresses in FusePoolDirectory.

Recommendations

• Use a multi-signature address wallet, this would prevent an attacker from causing economic damage if a private key were compromised.

• Set critical functions behind a TimeLock to catch malicious executions in the case of compromise.

Remediation

The issue has been acknowledged by Ionic Protocol and no changes have been made.

Ionic Protocol states, "Before announcing our live platform, we will be transferring admin functionality to MultiSig address, avoiding the risks of single point of failure."