Judge has assessed an item in Issue #229 as M risk. The relevant finding follows:
Centralization Risk
Contract:
<https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/protocol/tokenization/base/MintableIncentivizedERC721.sol#L131>
Impact:
It seems the poolAdmin holds too much power including changing reward controller, rescue tokens etc. This can allow poolAdmin to impact all users by changing the config or draining the contract. In this example we will see one example for setIncentivesController
Steps:
PoolAdmin calls setIncentivesController and set rewardController to zero
This causes Users will stop getting incentives on their stakes. So if User decides to burn then the reward incentives are gone permanently
Recommendation:
Keep the poolAdmin as multiSig and behind timelock to prevent immediate changes
The text was updated successfully, but these errors were encountered:
All reactions