Centralization risk
There are three types of privileged accounts for the BondingViralityController contract:
The owner
The viralityScoreUpdater
The users on the allowlist
The users on the allowlist can create new tokens but have otherwise no special powers.
The viralityScoreUpdater is able to call updateViralityScores
to update the virality score for any registered token. An attacker gaining access to the viralityScoreUpdater could use this to drain all liquidity in the contract; by setting virality to zero, buying a lot of tokens at zero cost, setting virality to a high value, and then selling their tokens again, they can extract (part of) the liquidity held by the contract for each token. By repeating this, all liquidity can be drained.
The owner has the same powers as the viralityScoreUpdater but can additionally claim and withdraw different types of fees/yield and set the viralityScoreUpdater and various other settings. For example, the owner can use the togglePaused
function to pause and unpause contract state to enable or disable trading. This can lead to the blocking of user funds if it is impossible to sell tokens.
The owner could also use updateTokenShares
to drain all liquidity from the contract by submitting the payment token as the token and a Merkle tree that includes shareBbps
adding up to more than BPS_MAX
, all made out to the owner. See also ref↗ for background on this.
The above introduces centralization risks that users should be aware of, as it grants a single point of control over the system. We recommend that these centralization risks be clearly documented for users so that they are aware of the extent of the owner's control over the contract. This can help users make informed decisions about their participation in the project. Additionally, clear communication about the circumstances in which the owner may exercise these powers can help build trust and transparency with users. Therefore, it is recommended to implement additional measures to mitigate these risks, such as implementing a multi-signature requirement for owner access.