While centralization risks are usually not in scope, the README explicitly states that Admin Should not be able to steal user funds. This however is possible through the usage of withdrawal fees.
Vulnerability Detail
For deposit fees, there are checks that ensure that the admin can not set arbitrarily high fees:
if (_depositFee > 250) revert InvalidDepositFee();
No such fee exists for setting the withdrawal fees. In conjunction with being able to control epoch begin + end time and the rollover mechanism being openly accessible, an admin could use this to transfer all premiums (and all collateral funds too in case of depeg) to the treasury. Since this is likely a multisig he would need to collude with other signers, but a theft would still be possible.
minhtrng
medium
Theft of funds through withdrawal fee
Summary
While centralization risks are usually not in scope, the README explicitly states that
Admin Should not be able to steal user funds
. This however is possible through the usage of withdrawal fees.Vulnerability Detail
For deposit fees, there are checks that ensure that the admin can not set arbitrarily high fees:
No such fee exists for setting the withdrawal fees. In conjunction with being able to control epoch begin + end time and the rollover mechanism being openly accessible, an admin could use this to transfer all premiums (and all collateral funds too in case of depeg) to the treasury. Since this is likely a multisig he would need to collude with other signers, but a theft would still be possible.
Impact
Possible theft of user funds
Code Snippet
https://github.com/sherlock-audit/2023-03-Y2K/blob/ae7f210d8fbf21b9abf09ef30edfa548f7ae1aef/Earthquake/src/v2/VaultFactoryV2.sol#L149
Tool used
Manual Review
Recommendation
Restrict the max value for withdrawal fees as is done with deposit fees.
Duplicate of #47