It is a good practice to give time for users to react and adjust to critical changes. A timelock provides more guarantees and reduces the level of trust required, thus decreasing risk for users. It also indicates that the project is legitimate.
I believe this impacts multiple users enough to make them want to react / be notified ahead of time.
Recommended Mitigation Steps
Consider adding a timelock to TokenManager.sol:function changeFee()
Also, a definitive upper-bound should be added to prevent the fees from being too high.
Lines of code
https://github.com/code-423n4/2022-03-biconomy/blob/db8a1fdddd02e8cc209a4c73ffbb3de210e4a81a/contracts/hyphen/token/TokenManager.sol#L44-L54
Vulnerability details
Impact
It is a good practice to give time for users to react and adjust to critical changes. A timelock provides more guarantees and reduces the level of trust required, thus decreasing risk for users. It also indicates that the project is legitimate.
Here, no timelock capabilities seem to be used:
I believe this impacts multiple users enough to make them want to react / be notified ahead of time.
Recommended Mitigation Steps
Consider adding a timelock to
TokenManager.sol:function changeFee()
Also, a definitive upper-bound should be added to prevent the fees from being too high.