The admin contract determines who can mint tokens, or pause transfers. The default contract uses a single private key, which is dangerous: it that private key were stolen, a hacker would have access to sensitive functionality that could compromise the integrity of the token.
Furthermore, with default account permissions, both contract upgradeability and contract permissions may be changed by the contract deployer. If that user is compromised, then the token balances will also become compromised.
The documentation and examples do not take this into account.
We should change the documentation to point out the following:
We encourage that anyone deploying a token to utilize a decentralized governance or multi-sig contract as opposed to a single account, which introduces a single point of failure.
Additionally, we recommend any user purchasing a token to investigate the key management practices of the token deployer, and to validate the token contract permissions as one should with any o1js application.
The
admincontract determines who can mint tokens, or pause transfers. The default contract uses a single private key, which is dangerous: it that private key were stolen, a hacker would have access to sensitive functionality that could compromise the integrity of the token.Furthermore, with default account permissions, both contract upgradeability and contract permissions may be changed by the contract deployer. If that user is compromised, then the token balances will also become compromised.
The documentation and examples do not take this into account.
We should change the documentation to point out the following:
We encourage that anyone deploying a token to utilize a decentralized governance or multi-sig contract as opposed to a single account, which introduces a single point of failure.
Additionally, we recommend any user purchasing a token to investigate the key management practices of the token deployer, and to validate the token contract permissions as one should with any o1js application.