The factory owner is not a timelock

[hats-bug-reporter[bot]]

Github username: -- Twitter username: 97Sabit Submission hash (on-chain): 0x5e008be1db2275b2835725c00c3142f62b2beb76c3d9d168f7e93883961706ab Severity: high

Description: Description\ The factory contract's owner is not a timelock.

In the constructor below, factory owner is set to an address:

https://github.com/catalystdao/catalyst/blob/27b4d0a2bca177aff00def8cd745623bfbf7cb6b/evm/src/CatalystFactory.sol#L31

Changes to the factory that could impact vaults would happen immediately instead of going through a time delayed governance process.

There should be a form of transparency and accountability to ensure factory owner is a timelock. Based on the CatalystFactory contract, there's no implementation in the code that the factory owner is a timelock.

2. Revised Code File (Optional)

[reednaa]

The code makes it clear that the factory owner must be a timelock.

https://github.com/hats-finance/Catalyst-Exchange-0x3026c1ea29bf1280f99b41934b2cb65d053c9db4/blob/fba322fab023a9206183fb455e9f86facd550d8a/evm/src/CatalystFactory.sol#L18

[ololade97]

But it's a comment. It's not implemented in the code.

[reednaa]

A time lock is a separate contract.