Although the dust has settled in a broad sense in this year's US general election, the result of the election is not yet clear.
Now that the Biden team has announced victory, the American media have announced that Biden will be the next President of the United States. On the other hand, Trump refused to accept the result of the defeat. He continued to count votes and declared that he would take legal action.
The primary reason for today's chaotic results is that the United States has not established an independent and authoritative election commission with power over election affairs. By default, news organizations assume this role. If Trump gains too much power, controls most news organizations, and creates false votes, the result is still unknown.
This means that to some extent, it can be said to be another "media election" after the extremely centralized "Twitter governing the country".
From elections, to the Internet, to the blockchain, in 2020, centralization is no longer a manifestation of authority, but a synonym for "arbitrary" and "authoritarianism".
On November 9th, Beijing time, the CertiK security research team discovered that the DeFi project Mercurity.finance smart contract code part has centralization risks.
The project owner has excessive authority to mint any number of coins and provide any number of rewards for a given account.
image description
ERC20Token.sol
Code address:
https://github.com/MER-DAO/MEE-core/blob/main/contracts/tokens/ERC20Token.sol
https://etherscan.io/address/0xe1b583dc66e0a24fd9af2dc665f6f5e48978e106#code
image description
image description
Figure 3: issue function with minting method
As shown in Figure 1, the constructor of the project owner in the ERC20Token.sol smart contract can set itself as the issuer identity. Since its constructor will be automatically executed when the smart contract is deployed, the project owner will automatically become an issuer.
Through the restriction of the onlyIssuer modifier shown in Figure 2, any external caller with an issuer identity will be able to execute any function modified by the onlyIssuer modifier.
Therefore, the project owner with the issuer identity can execute the issue function with the minting method in Figure 3, so that any number of tokens can be minted for any account.
image description
AwardContract.sol
Code address:
https://github.com/MER-DAO/MEE-core/blob/main/contracts/AwardContract.sol
Deployment address:
https://etherscan.io/address/0x8Ea43ce113456f45defd0E27e809d719b9CA2362#code
image description
image description
Figure 6: addFreeAward smart contract function
When AwardContract.sol is deployed on the blockchain by the project owner, the constructor of the AwardContract contract will be automatically executed, which means that after the 43 lines of code in Figure 4 are automatically executed, the project owner will automatically be given the status of governor .
External callers with governor status can similarly execute any smart contract function modified by the onlyGovernor modifier, such as the addFreeAward function shown in Figure 6.
image description
Figure 7: withdraw smart contract function
In summary, the backdoor vulnerabilities in the smart contracts in the Mercurity.finance project all come from the excessive authority of the project owner. In this type of centralized governance mechanism, project owners have the right to profit at any time or destroy the project economic system.
The CertiK security research team suggested that Mercurity.finance update the governance system adopted in the project and introduce a community management mechanism.
CertiK hereby reminds users:
1. The contract code needs to undergo strict security verification and audit before it is allowed to be published.
2. Investors need to measure risks when investing in projects that adopt a centralized governance mechanism and invest cautiously
IOS
Android