Description

The protocol is heavily centralized. This may be by design due to the the nature of yield aggregators.

The governance can call the sweep() function of the Batcher, Vault, ConvexTradeExecutor, PerpTradeExecutor, and Harvester contracts, effectively draining the token balances of the aforementioned contracts.

The strategist can call the sweep() function of the PerpPositionHandlerL2 contract, effectively draining the token balances of the aforementioned contract.

The documentation states that 1–10% of the user-deposited funds stay within the Vault as a buffer and only the yield harvested from Curve and Convex is used for trading on Perpetual Protocol. These invariants are not enforced in any way in the Vault contract itself. The keeper can freely move the user-deposited funds between the Vault and its trade executors. It is therefore the responsibility of keepers to enforce the aforementioned invariants.

Impact

Centralization carries heavy risks, most of which have been outlined in the Description section above. A compromised governance, strategist, or a keeper could potentially steal all user funds.

Recommendations

• Consider setting up multisig wallets for the governance, the strategist, and the keeper.

• Consider enforcing, on the protocol level, the invariants outlined in the documentation.

• Consider following best security practices when handling the private keys of the externally owned accounts.

Remediation

The issue has been acknowledged by the Brahma team. Further steps to securing private keys and usage of a multisig address are being addressed.