User created baskets are owned by defaultController and help from the defaultController is needed to use any functionality or setup the basket. In test simply one account is used, but when a user wants to create a basket, they can’t control it properly.
Mitigation steps
Add tests with a user and defaultController and redesign the protocol accordingly.
This sounds like its intended. The defaultController account handles any administrative functionality of the basket contracts. The contract owner isn't an EOA as people have stated it is.
Handle
0x0x0x
Vulnerability details
User created baskets are owned by
defaultController
and help from thedefaultController
is needed to use any functionality or setup the basket. In test simply one account is used, but when a user wants to create a basket, they can’t control it properly.Mitigation steps
Add tests with a user and
defaultController
and redesign the protocol accordingly.