User created baskets are owned by defaultController

[code423n4]

Handle

0x0x0x

Vulnerability details

User created baskets are owned by defaultController and help from the defaultController is needed to use any functionality or setup the basket. In test simply one account is used, but when a user wants to create a basket, they can’t control it properly.

Mitigation steps

Add tests with a user and defaultController and redesign the protocol accordingly.

[0xleastwood]

This sounds like its intended. The defaultController account handles any administrative functionality of the basket contracts. The contract owner isn't an EOA as people have stated it is.