Closed code423n4 closed 2 years ago
Centralization risk is acknowledged #344
I think it was explicitly mentioned that v1 will be a centralized system, and later steps will be taken to improve decentralization: "BathHouse has an admin that is the EOA administrator of the entire protocol in v1."
Thus, I think it is still an issue but definitely not of high severity.
Duplicate of #249
Lines of code
https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/rubiconPools/BathHouse.sol#L217-L229
Vulnerability details
Impact
The migration function
BathHouse.adminWriteBathToken()
provides a rug vector for the admin of the protocol. They are able to receive deposits of underlying token and then switch the bath token contract associated with the underlying token to any contract they desire.Tools Used
Manual review
Recommended Mitigation Steps
The presence of this function poses a security risk to the users of the protocol. Perhaps migration steps can be completed through a proposal process instead of at will by the owner of the protocol.