SafetyModule Manager has full control of fee-dripping model
Description
The protocol has the ability to collect fees from SafetyModules. The fee-dripping model of SafetyModule calculates the amount of fees. Specifically, invoking the dripFactor()
function in the fee-dripping model contract, SafetyModule calculates the amount of assets that are dripped as fees.
The address of the fee-dripping--model contract is stored in CozySafetyModuleManager. The owner of CozySafetyModuleManager can change this address without limitation. The SafetyModule lacks the logic to cap the maximum amount of fees that can be dripped.
Impact
If the owner account of CozySafetyModuleManager is compromised by a malicious actor, reserves of all SafetyModules can be stolen because the malicious actor can change the fee-dripping model and collect the entire reserves from SafetyModules as fees.
Recommendations
Consider imposing limits on the changes to the fee-dripping model, such as capping the maximum fee that can be dripped, implementing a built-in time-lock mechanism for changing the fee-dripping model, or making the fee-dripping model immutable. Also, consider employing multi-signature and time-lock mechanisms for the owner account of the SafetyModule Manager.