The "Bank" contract, which includes a "onlyController" modification on its methods, is the contract that the "MarketToken" contract descends from. This modifies a contract's deployment to limit access to specific functions to a single "controller" address.
Impact
As a result, the 'controller' address has the power to create new tokens and burn existing ones for any account, thereby controlling the token supply and raising the possibility of centralization problems.
It is advised to adopt a more decentralized approach for managing the token supply, such as a community-based governance model or a multi-signature system, in order to prevent centralization problems.
In its place, a more adaptable access control mechanism, such OpenZeppelin's 'AccessControl' contract, which enables more granular control over who can do particular operations, can be used in place of the 'onlyController' modifier.
tsueti_
medium
CENTRALIZATION RISK
Summary
Possible Centralization Risk.
Vulnerability Detail
The "Bank" contract, which includes a "onlyController" modification on its methods, is the contract that the "MarketToken" contract descends from. This modifies a contract's deployment to limit access to specific functions to a single "controller" address.
Impact
As a result, the 'controller' address has the power to create new tokens and burn existing ones for any account, thereby controlling the token supply and raising the possibility of centralization problems.
Code Snippet
https://github.com/sherlock-audit/2023-02-gmx-tsueti/blob/0a2bcce6a4f3ce7a44801446ee82066c854c69f8/gmx-synthetics/contracts/market/MarketToken.sol#L18-L28
Tool used
Manual Review
Recommendation
It is advised to adopt a more decentralized approach for managing the token supply, such as a community-based governance model or a multi-signature system, in order to prevent centralization problems.
In its place, a more adaptable access control mechanism, such OpenZeppelin's 'AccessControl' contract, which enables more granular control over who can do particular operations, can be used in place of the 'onlyController' modifier.