Assessment reports>Reserve Throttle Wallet>Discussion>Centralization risks

Centralization risks

The ThrottleWallet contract has been designed to hold the treasury of RSR tokens and then allow the USER to withdraw them slowly over time as needed. The contract splits roles between an ADMIN and a USER role and grants each role restrictions and privileges according to the specifications. The contract has some centralization risks, primarily due to the privileges associated with the ADMIN role.

This table documents the roles defined in the ThrottleWallet contract and highlights the potential risks associated with them according to the contract and the formal specifications provided by Reserve:

RolePrivilegesRestrictions
ADMINSet the address of the USER, renounce its role as ADMIN, and cancel a withdrawalArbitrarily set a new ADMIN address, initiate a withdrawal, and complete a withdrawal
USERInitiate a withdrawal and complete a withdrawalChange the address of the USER, change the address of the ADMIN, and cancel a withdrawal

Please note the ADMIN role is able to assign the USER role to themselves or an arbitrary third party and then initiate and approve withdrawals without being disturbed by the onlyUser modifiers.

Consider implementing a multi-sig mechanism for the ADMIN role. Requiring multiple signatures to perform critical actions in the contract significantly reduces the risks associated with one compromised key or the presence of malicious actors. Proper design and implementation of the roles as well as adoption of best key-custody practices can help mitigate the risk and impact of a compromise of a privileged account.

Zellic © 2023Back to top ↑