I recently discovered that Alpha Homora v2 (currently around $700m TVL) is fully upgradable by an EOA (externally owned account) admin key. An EOA is essentially a normal single-signer, non-contract Ethereum account with no ability to use multisig or timelock protections.
The admin key is referred to in the protocol as the "governor".
This privileged role was called out in Open Zeppelin's audit of the protocol:
The remainder of the audit provides results under the aggressive assumption that the "governor" will always be used with honesty, skill and integrity:
An EOA admin key with this level of power allows the holder to make massive and spontaneous changes to the protocol without notice to users. If the admin key is used unskillfully or maliciously, it could result in the protocol being bricked or funds being drained.
On May 28 (with daily followups), I began making initial inquiries in Alpha Finance's Discord channel that have remained unanswered by the core team:
- Who is responsible for securing the admin key?
- Who has access to the admin key?
- In what jurisdiction(s) is the admin key located?
- Why has the team chosen to use an EOA rather than a multisig and/or timelock smart contract?
Alpha Finance should engage in this transparency conversation promptly. The lack of visibility into this vulnerable admin key should be very quickly addressed.
UPDATE: 31 May 2021 @ 11am US Eastern
Alpha Finance has responded with the following tweet: