search

hats-finance / Euro-Dollar-0xa4ccd3b6daa763f729ad59eae75f9cbff7baf2cd

Audit competition repository for Euro-Dollar (0xa4ccd3b6daa763f729ad59eae75f9cbff7baf2cd)
https://hats.finance
MIT License
1 stars 0 forks source link

Centralization Risk for trusted owners #13

Open hats-bug-reporter[bot] opened 1 week ago

hats-bug-reporter[bot] commented 1 week ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0xf3f444bb432b4cdfe62db4f666d6a43d499c9b0a1326fa105b30ebcd81ea687f Severity: medium

Description:

Impact:

Contracts have owners with privileged rights to perform admin tasks and need to be trusted to not perform malicious updates or drain funds.

Instances (31):

File: InvestToken.sol

123:     function mint(address to, uint256 amount) public onlyRole(MINT_ROLE) returns (bool) {

135:     function burn(address from, uint256 amount) public onlyRole(BURN_ROLE) returns (bool) {

156:         onlyRole(BURN_ROLE)

173:     function recover(address from, address to, uint256 amount) public onlyRole(RESCUER_ROLE) returns (bool) {

368:     function changeYieldOracle(IYieldOracle _yieldOracle) public onlyRole(DEFAULT_ADMIN_ROLE) {

375:     function pause() public onlyRole(PAUSER_ROLE) {

382:     function unpause() public onlyRole(PAUSER_ROLE) {

391:     function _authorizeUpgrade(address newImplementation) internal override onlyRole(UPGRADER_ROLE) {}

File: USDE.sol

100:     function mint(address to, uint256 amount) public onlyRole(MINT_ROLE) returns (bool) {

112:     function burn(address from, uint256 amount) public onlyRole(BURN_ROLE) returns (bool) {

133:         onlyRole(BURN_ROLE)

150:     function recover(address from, address to, uint256 amount) public onlyRole(RESCUER_ROLE) returns (bool) {

164:     function pause() public onlyRole(PAUSER_ROLE) {

171:     function unpause() public onlyRole(PAUSER_ROLE) {

180:     function _authorizeUpgrade(address newImplementation) internal override onlyRole(UPGRADER_ROLE) {}

File: Validator.sol

12: contract Validator is AccessControl, IValidator {

54:     function whitelist(address account) external onlyRole(WHITELISTER_ROLE) {

62:     function whitelist(address[] calldata accounts) external onlyRole(WHITELISTER_ROLE) {

81:     function blacklist(address account) external onlyRole(BLACKLISTER_ROLE) {

89:     function blacklist(address[] calldata accounts) external onlyRole(BLACKLISTER_ROLE) {

108:     function void(address account) external onlyRole(WHITELISTER_ROLE) {

116:     function void(address[] calldata accounts) external onlyRole(WHITELISTER_ROLE) {

File: YieldOracle.sol

9: contract YieldOracle is IYieldOracle, Ownable {

49:     constructor(address _initialOwner, address _initialOracle) Ownable(_initialOwner) {

110:     function setOracle(address _oracle) external onlyOwner {

118:     function setMaxPriceIncrease(uint256 _maxPriceIncrease) external onlyOwner {

126:     function setCommitDelay(uint256 delay) external onlyOwner {

136:     function setUpdateDelay(uint256 delay) external onlyOwner {

146:     function setCurrentPrice(uint256 price) external onlyOwner {

156:     function setPreviousPrice(uint256 price) external onlyOwner {

165:     function resetNextPrice() external onlyOwner {
AndreiMVP commented 1 week ago

Well yeah, we have to trust the admins, part of the design.