Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Rainmaker>Informational findings>Potential centralization risk from fee configuration
GeneralOverview
Findings
Critical (3)
Medium (4)
Informational (2)Potential centralization risk from fee configurationWithdrawal conditions can cause confusion
DiscussionWithdrawal redeems all tokensUnderlying vault requires verification
Threat ModelsWhat are threat models?DefinitiveRewardToken.solDefinitiveStakingManager.sol
Audit ResultsSummary
Category: Business Logic

Potential centralization risk from fee configuration

Informational Severity
N/A Impact
N/A Likelihood

Description

Though the value is not yet used, the staking manager allows the owner to set feePct:

/**
 * @dev Set fees
 */
function setFees(uint256 _feePct) external onlyOwner {
  feePct = _feePct;
}

Impact

If future additions to the protocol do use feePct, the owner would have the ability to make fees arbitrarily high — even above 100%. In general, this requires unnecessary trust from users, which might discourage use of the protocol. In the case of key compromise, this would grant an attacker the ability to steal additional user funds.

Recommendations

We recommend adding a reasonable upper limit (that is at least below 100%) on feePct if it is ever used. Alternatively, Rainmaker could instead implement a timelock for such configuration upgrades to allow users time to react to adverse changes.

Remediation

Rainmaker removed this functionality in .

Zellic © 2024Back to top ↑