From Certik Audit last February, we can read the following.
My question : Why did “Onyx team” acknowledge and didn’t to anything to solve those issues? Who’s the owner of ‘admin’ and ‘owner’? Is it under a multi-sig? If it’s detained by 1 single person, then Onyx is not at all decentralized
Certik Major Issue :
"Recommendation
The risk describes the current project design and potentially makes iterations to improve in the security operation and level of decentralization, which in most cases cannot be resolved entirely at the present stage. We recommend carefully managing the privileged account’s private key to avoid any potential risks of being hacked. In general, we strongly recommend centralized privileges or roles in the protocol be improved via a decentralized mechanism or smart-contract-based accounts with enhanced security practices, e.g., multi-signature wallets.
Indicatively, here are some feasible suggestions that would also mitigate the potential risk at a different level in terms of short-term, long-term and permanent:
Short Term:
Timelock and Multi sign (⅔, ⅗) combination mitigate by delaying the sensitive operation and avoiding a single point of key management failure.
Time-lock with reasonable latency, e.g., 48 hours, for awareness on privileged operations;
AND
Assignment of privileged roles to multi-signature wallets to prevent a single point of failure due to the private key compromised;
AND
A medium/blog link for sharing the timelock contract and multi-signers addresses information with the public audience.
Long Term:
Timelock and DAO, the combination, mitigate by applying decentralization and transparency.
Time-lock with reasonable latency, e.g., 48 hours, for awareness on privileged operations;
AND
Introduction of a DAO/governance/voting module to increase transparency and user involvement;
AND
A medium/blog link for sharing the timelock contract, multi-signers addresses, and DAO information with the public audience.
Permanent:
Renouncing the ownership or removing the function can be considered fully resolved.
Renounce the ownership and never claim back the privileged roles;
OR
Remove the risky functionality.
Alleviation
[Onyx Team]:
Issue acknowledged. I won’t make any changes for the current version."
I’m getting worried by this as well… Why the issue was aknowledged by Onyx Team and refused to make any multi-sig etc?
Alex could you please communicate to us all the owner addresses that have privileges, and clarify whether they are under a multi-sig or not and who controls them? If it’s a single contractor dev then this would be the worse possible situation
Starting from 28 Mar 2023, when the protocol executed the OIP-9, the Onyx protocol is decentralized permanently; Users manage and secure the protocol.
CertiK audited Onyx on 2/28/2023, and the audit results do not reflect decentralization changes.
From a security perspective, this audit is not outdated, as the code remains the same; Onyx changed the ownership of the smart contracts from centralized to decentralized. Still, we do have plans for future security audits Engage a 2nd auditing firm to conduct an audit on ONYX - #2 by alex
Additionally, see OIP-6 Secure Proposal Timelock, Onyx Protocol
Thank you for the update. While this seems like good news, how is it possible such big changes have not undergone an audit? I remember deepack (previous CEO of Onyx & Chain) insisted that any smallest change in code would require a new audit. This is not even close to being a small change.
Still not clear to me who are the admin and guardian address, and by who are they controlled. But an audit would analyze the code way better than me.
Given that those changes are unaudited, the priority to get this code is audited increases significantly. Do you think we can audit those changes asap?
I also recall Deepack mentioning a month ago that LDA capital could be used to engage for an audit. Is this possible? We have $40m of potential funding sitting and not being used.
“Transferred smart contracts ownership from centralized to the Onyx Governance and Onyx DAO”—it means that there is no “admin” or “owner” for the contracts anymore. There was no code change. Smart contracts stay the same.
Yes, I agree with the importance of the code audit.
With the budget until the end of July, I didn’t get money for hiring smart contract developers and an audit.
We’ll consider it with the next budget proposal.