Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Ostium>Medium findings>Centralization risk of trusted owner
GeneralOverview
Findings
Critical (2)
High (3)
Medium (6)The `maxAllowedCollateral` check could be bypassedPremium price feeds are not usedValue of `groupsCollaterals` could exceedExtra `PRECISION_6` divides `utilizationFee`Incorrect funding-rate calculation due to roundingCentralization risk of trusted owner
Low (6)
Informational (2)
DiscussionRemoval of trading pairs is not supportedIncorrect last updated block number for TP and SLTradeUtils used as a library for address
Threat ModelWhat are threat models?Delegatable.solOstiumOpenPnl.solOstiumTrading.solOstiumVault.sol
Audit ResultsSummary
Category: Business Logic

Centralization risk of trusted owner

Medium Severity
Medium Impact
Low Likelihood

Description

The OstiumRegistry allows governance to update, register, or unregister any contract in the protocol. The governance address could also be updated using the setGov function by the owner of the contract. This introduces centralization risks that users of the protocol should be aware of, as it grants a single point of control over the system.

Impact

The owner could update the governance address, leading to centralization risks, which include the ability of the admin to pause and unpause the protocol at their discretion, whitelisting an address, updating important parameters in the protocol, and so on.

Recommendations

It is recommended to implement additional measures to mitigate these risks, such as implementing a multi-signature requirement for admin access or limiting the frequency of usage.

Remediation

Ostium Labs will mitigate the centralization risk by setting the Owner of OstiumRegistry to be a OstiumTimelockOwner contract which is an OpenZeppelin TimelockController.

Zellic © 2024Back to top ↑