Centralization risks
The ThrottleWallet contract has been designed to hold the treasury of RSR tokens and then allow the USER
to withdraw them slowly over time as needed. The contract splits roles between an ADMIN
and a USER
role and grants each role restrictions and privileges according to the specifications. The contract has some centralization risks, primarily due to the privileges associated with the ADMIN
role.
This table documents the roles defined in the ThrottleWallet contract and highlights the potential risks associated with them according to the contract and the formal specifications provided by Reserve:
Role | Privileges | Restrictions | ||||||
---|---|---|---|---|---|---|---|---|
ADMIN | Set the address of the | USER | , renounce its role as | ADMIN | , and cancel a withdrawal | Arbitrarily set a new | ADMIN | address, initiate a withdrawal, and complete a withdrawal |
USER | Initiate a withdrawal and complete a withdrawal | Change the address of the | USER | , change the address of the | ADMIN | , and cancel a withdrawal |
Please note the ADMIN
role is able to assign the USER
role to themselves or an arbitrary third party and then initiate and approve withdrawals without being disturbed by the onlyUser
modifiers.
Consider implementing a multi-sig mechanism for the ADMIN
role. Requiring multiple signatures to perform critical actions in the contract significantly reduces the risks associated with one compromised key or the presence of malicious actors. Proper design and implementation of the roles as well as adoption of best key-custody practices can help mitigate the risk and impact of a compromise of a privileged account.