Major Centralization Risk in Certik Audit - Is Onyx really decentralized?

From Certik Audit last February, we can read the following.
My question : Why did “Onyx team” acknowledge and didn’t to anything to solve those issues? Who’s the owner of ‘admin’ and ‘owner’? Is it under a multi-sig? If it’s detained by 1 single person, then Onyx is not at all decentralized

Certik Major Issue :

The risk describes the current project design and potentially makes iterations to improve in the security operation and level of decentralization, which in most cases cannot be resolved entirely at the present stage. We recommend carefully managing the privileged account’s private key to avoid any potential risks of being hacked. In general, we strongly recommend centralized privileges or roles in the protocol be improved via a decentralized mechanism or smart-contract-based accounts with enhanced security practices, e.g., multi-signature wallets.

Indicatively, here are some feasible suggestions that would also mitigate the potential risk at a different level in terms of short-term, long-term and permanent:

Short Term:

Timelock and Multi sign (⅔, ⅗) combination mitigate by delaying the sensitive operation and avoiding a single point of key management failure.

  • Time-lock with reasonable latency, e.g., 48 hours, for awareness on privileged operations;
  • Assignment of privileged roles to multi-signature wallets to prevent a single point of failure due to the private key compromised;
  • A medium/blog link for sharing the timelock contract and multi-signers addresses information with the public audience.

Long Term:

Timelock and DAO, the combination, mitigate by applying decentralization and transparency.

  • Time-lock with reasonable latency, e.g., 48 hours, for awareness on privileged operations;
  • Introduction of a DAO/governance/voting module to increase transparency and user involvement;
  • A medium/blog link for sharing the timelock contract, multi-signers addresses, and DAO information with the public audience.


Renouncing the ownership or removing the function can be considered fully resolved.

  • Renounce the ownership and never claim back the privileged roles;
  • Remove the risky functionality.


[Onyx Team]:

Issue acknowledged. I won’t make any changes for the current version."


I’ll come back to your question soon.

1 Like

Will be waiting sir . Although i feel its just a soft fud

what the heck ? are these real ?

I’m getting worried by this as well… Why the issue was aknowledged by Onyx Team and refused to make any multi-sig etc?

Alex could you please communicate to us all the owner addresses that have privileges, and clarify whether they are under a multi-sig or not and who controls them? If it’s a single contractor dev then this would be the worse possible situation

The question is about CertiK audit results Onyx Protocol - CertiK Skynet Project Insight
See the Code Security section, View findings ⟶ Centralization Related Risks

Short answer: Onyx resolved this issue permanently on 28 Mar 2023.

Full answer:

Initially Onyx deployed contracts with centralized management to monitor bugs, issues, and set base parameters.

On 24 Mar 2023 with OIP-9: Launch OLP Governance, the Onyx Protocol:

  • Transferred smart contracts ownership from centralized to the Onyx Governance and Onyx DAO
  • Introduced the DAO Governance and the Voting module to increase transparency and user involvement
  • Enabled Time locks for awareness of privileged operations
  • Deployed the Onyx app, the website, and Onyx services using IPFS, decentralized and independent storage; the code is available on Onyx’s GitHub
  • Shared this information with XCN holders to manage the protocol with the DAO Governance and Voting module

For details, see Onyx Protocol

Starting from 28 Mar 2023, when the protocol executed the OIP-9, the Onyx protocol is decentralized permanently; Users manage and secure the protocol.

CertiK audited Onyx on 2/28/2023, and the audit results do not reflect decentralization changes.
From a security perspective, this audit is not outdated, as the code remains the same; Onyx changed the ownership of the smart contracts from centralized to decentralized. Still, we do have plans for future security audits Engage a 2nd auditing firm to conduct an audit on ONYX - #2 by alex

Additionally, see OIP-6 Secure Proposal Timelock, Onyx Protocol


Thanx for your Reply over this issue Alex .

Hello Alex.

Thank you for the update. While this seems like good news, how is it possible such big changes have not undergone an audit? I remember deepack (previous CEO of Onyx & Chain) insisted that any smallest change in code would require a new audit. This is not even close to being a small change.

Still not clear to me who are the admin and guardian address, and by who are they controlled. But an audit would analyze the code way better than me.

Given that those changes are unaudited, the priority to get this code is audited increases significantly. Do you think we can audit those changes asap?

I also recall Deepack mentioning a month ago that LDA capital could be used to engage for an audit. Is this possible? We have $40m of potential funding sitting and not being used.

Thank you,

1 Like

Your question is not entirely clear. Do you want to audit to the code has already been fixed thanks to the audit?

It’s also worth considering that audits are quite expensive, this will require significant amount of funds.

About LDA funds you can find the details here: Budget allocation for current operations: May–July 2023 (#2)

which major change has been done recently and not audited mate?


I understand your concerns.

“Transferred smart contracts ownership from centralized to the Onyx Governance and Onyx DAO”—it means that there is no “admin” or “owner” for the contracts anymore. There was no code change. Smart contracts stay the same.

Yes, I agree with the importance of the code audit.

With the budget until the end of July, I didn’t get money for hiring smart contract developers and an audit.
We’ll consider it with the next budget proposal.

1 Like

so we gonna have another audit of the code ?

Audit of whole code ? or just one feature sir


We’ll consider to audit the whole code with another security company.


:innocent: :slightly_smiling_face: that will come on a big cost i suppose .

So nice we will have another audit . which agency will be chosen this time ?