Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Ethereum and Blast Exchanges>Discussion>Centralization risks
GeneralOverview
Findings
High (2)
Medium (1)
Low (3)
Informational (2)
DiscussionLack of documentationCentralization risksEnforce a more recent Solidity version
Threat ModelWhat are threat models?BfxDepositU.solBfxU.solBfxVaultU.solPoolDepositU.solRabbitU.solVaultU.sol
Audit ResultsAssessment Results

Centralization risks

There are four types of privileged accounts for the contracts:

  1. The timelock

  2. The claimer

  3. The signer

  4. The owner

The timelock contract can authorize an upgrade of the contracts according to the Universal Upgradeable Proxy Standard (UUPS) scheme but have no other special powers.

The claimer is able to claim gas from the Blast contracts.

The signer contract can sign withdrawal requests. The signature-generation part is done off chain and was not reviewed. However, it allows the signer to withdraw all assets from Blast and Rabbit contracts.

The owner is able to change the supported tokens.

The above introduces centralization risks that users should be aware of, as it grants a single point of control over the system.

We recommend that these centralization risks be clearly documented for users so that they are aware of the extent of the owner's control over the contract. This can help users make informed decisions about their participation in the project. Additionally, clear communication about the circumstances in which the owner may exercise these powers can help build trust and transparency with users. Therefore, it is recommended to implement additional measures to mitigate these risks, such as implementing a multi-signature requirement for owner access.

Zellic © 2025Back to top ↑