CardBox

CardBox’s three core upgradeable proxy contracts are CardPool (proxy: 0xe2600c0b8ba8a2a6f583c93c2f574827a9c385b3, implementation: 0xdc68d7c10766a75fa6fd019f0bcd52fa6e989b52), CardBoxNFT (proxy: 0xeac124dfc8fb42b864767307f62f4c816207a619, implementation: 0x2b5304c32e7ef422d943f45ea20ce870e77703a8), and CardMarketplace (proxy: 0xb58b9fad3e2621ba457aeaa8b80f85610313adab, implementation: 0x336f6192edcddc9b1dc59b6790e16145eec07615). Their corresponding ProxyAdmin contracts are 0x8a6da7d1fcc3a7e5e94f3910ddaaf3c3846905df, 0xc079b7df8306386c3035a013cef0fce07f9a15d3, and 0x0960b829920412c7420feead3a6bc15bc76b72b7, and all three ProxyAdmins are owned by the same EOA, 0x114ef3D41236F2a409023fc350E1f998E84afda0, meaning this single address can unilaterally upgrade all core contracts. In the absence of multisig or timelock protections, compromise, misuse, or malicious action by this EOA could introduce arbitrary malicious logic. More critically, CardPool.withdrawFunds() allows an account with ADMIN_ROLE to withdraw all USDT held in the pool at any time, with no timelock and no withdrawal cap; since users deposit USDT into this pool when purchasing card packs, this function effectively constitutes a backdoor over user-deposited funds, creating both significant centralization risk and direct fund security risk.