c4-judge
commented
1 year ago dmvt marked the issue as duplicate of #54
Closed c4-judge closed 1 year ago
c4-judge
commented
1 year ago dmvt marked the issue as duplicate of #54
c4-judge
commented
1 year ago dmvt marked the issue as satisfactory
Judge has assessed an item in Issue #229 as M risk. The relevant finding follows:
Centralization Risk Contract: https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/protocol/tokenization/base/MintableIncentivizedERC721.sol#L131
Impact: It seems the poolAdmin holds too much power including changing reward controller, rescue tokens etc. This can allow poolAdmin to impact all users by changing the config or draining the contract. In this example we will see one example for setIncentivesController
Steps:
PoolAdmin calls setIncentivesController and set rewardController to zero This causes Users will stop getting incentives on their stakes. So if User decides to burn then the reward incentives are gone permanently Recommendation: Keep the poolAdmin as multiSig and behind timelock to prevent immediate changes