Description

All critical configuration and fund-custody operations are guarded solely by onlyOwner. The owner can pause deposits, modify caps, rotate signers, and transfer any ERC-20 balance to treasury via withdrawToTreasury. There is no user-triggered withdrawal path, and no multi-signature or timelock enforcement, so custody fully depends on the owner's honesty and key custody.

function withdrawToTreasury(address token, uint256 amount) external onlyOwner {
    IERC20(token).safeTransfer(treasury, amount);
}

Impact

If the owner key is compromised or behaves maliciously, all deposited USDC can be redirected without user consent. This trust assumption may be acceptable for a custodial phase but should be clearly communicated to participants as it introduces a single point of failure.

Recommendations

Consider documenting the custodial model and using a multi-sig key custody.

Remediation