Megalith

Two ERC-1967 upgradeable proxy contracts (addresses: 0xC57b82256232f677Ead9Adfb5E635f3733D7026C and 0x2972BF925a32802a644Ad72C4c51d79B76072974) are controlled by the same EOA (0x5ceb54b4290bA9924863063ed17b051376EeC955). This EOA has complete upgrade authority over both proxies and can point either or both to new implementations via upgradeToAndCall() at any time, fully replacing contract business logic. Due to the ERC-1967 proxy pattern, all storage data (user information, mappings, etc.) remains in the proxy contracts, allowing malicious new implementations to read, modify, or delete this data. Upgrade operations require no timelock delay or multisig approval and complete instantly within a single transaction, giving users zero warning or defense time. If the single EOA private key is compromised, stolen, or the holder acts maliciously, both contracts and all user data simultaneously face risk. Additionally, if the contracts are functionally interdependent or related, simultaneous upgrades could enable coordinated attacks with greater impact. Recommend requiring the project transfer ownership to multisig and implement timelock mechanisms, or avoid using these contracts.