Centralization risks
Description
There are four privileged roles for the contract InfiniCardVault:
The default admin role is able to grant other roles to accounts and revoke roles from accounts.
The admin role has the ability to modify the strategy whitelists, custodian whitelists, and token whitelists.
The strategy operator role is able to interact with the valid strategies using associated underlying tokens and share tokens in the contract.
The Infini backend role can withdraw whitelisted tokens from the contract.
Impact
The above introduces centralization risks that users should be aware of, as it grants a single point of control over the system.
Recommendations
We recommend clearly documenting this centralized design to inform users about the owner's control over the contract. This transparency enables users to make informed decisions about their participation in the project. Additionally, outlining the specific circumstances under which the owner may exercise these powers can build trust and enhance transparency.
To further mitigate these risks, we suggest implementing measures such as a multi-signature requirement for owner access.