Assessment reportsPublic findings
Back to Zellic site
Assessment reports>InfiniCard Vault>Informational findings>Centralization risks
GeneralOverview
Findings
High (1)
Medium (1)
Low (2)
Informational (2)Centralization risksUnused variable
DiscussionTypographical errorsLack of comprehensive test suite
Threat ModelWhat are threat models?BaseStrategyVault.solInfiniCardVault.solInfiniEthenaStrategyManager.solInfiniMorphoStrategyVault.sol
Audit ResultsAssessment Results
Category: Business Logic

Centralization risks

Informational Severity
Informational Impact
Low Likelihood

Description

There are four privileged roles for the contract InfiniCardVault:

  1. The default admin role is able to grant other roles to accounts and revoke roles from accounts.

  2. The admin role has the ability to modify the strategy whitelists, custodian whitelists, and token whitelists.

  3. The strategy operator role is able to interact with the valid strategies using associated underlying tokens and share tokens in the contract.

  4. The Infini backend role can withdraw whitelisted tokens from the contract.

Impact

The above introduces centralization risks that users should be aware of, as it grants a single point of control over the system.

Recommendations

We recommend clearly documenting this centralized design to inform users about the owner's control over the contract. This transparency enables users to make informed decisions about their participation in the project. Additionally, outlining the specific circumstances under which the owner may exercise these powers can build trust and enhance transparency.

To further mitigate these risks, we suggest implementing measures such as a multi-signature requirement for owner access.

Remediation

Zellic © 2025Back to top ↑