jgarzik
commented
6 years ago I'm reluctant here, because this gives an impression we wish to avoid: that there is a Metronome owner keeping a watchful managerial eye over users. We prefer to do the opposite by default: Remove any onlyOwner (superuser) capability, whereever possible, even if this means closing an avenue for recovering mis-sent funds.
filcap
Reported by Gustav Severity: Medium
Summary: Metronome contracts such as the AC and Proceeds contracts cannot spend any ERC20 or similar tokens received.
Details: Many ERC20 tokens have been airdropped on accounts and contracts holding ETH - OmiseGO is a prominent example. As some of these drop tokens proportional to ETH amounts, the Metronome Proceeds contract in particular may receive substantial air drops as it will likely hold a significant amount of ETH compared to most accounts / contracts. Such air drops may end up (very) valuable, motivating a need for the Metronome contracts to be able to spend them. While some air drops attempt to identify system / protocol contracts and exclude them from air dropping, it is not guaranteed that future air drops will not include Metronome contracts.
This also applies to intentional or accidental transfers of ERC20 tokens to Metronome contracts - whichever way tokens may be received, we recommend that there is a way for them to be transferred.
See ethereum/EIPs#223 for more info and some prominent examples of large accidental lockups.