First Flight #17: Dussehra

[M-3] The address organiser at Dussehra.sol and the address organiser at RamNFT.sol have the power to influence and obstruct the functioning of the protocol. As a result, the protocol ends up highly centralised.

Description: The address organiser is given a lot of power though several functions.

1. ChoosingRam::selectRamIfNotSelected gives sole power to the organiser to select a Ram. If the organiser does not do this within the set time frame of around one day, the contract breaks and the funds will be stuck in the contract forever.

2. RamNFT::setChoosingRamContract allows organiser to change choosingRamContract and thereby change the Characteristics of any ramNFT. See the vulnerability [M-2] above.

3. There are several ways in which the protocol allows the organiser to abuse its power to rug pull participants or break the protocol. See vulnerabilities [H-1], [H-2] and [H-5] above.

Impact: The protocol is susceptible to a rug pull.

Recommended Mitigation: The solution to this problem is not straightforward. But some steps that will help mitigate this issue:

1. Improve role restrictions throughout the protocol. The use of OpenZeppelin's Ownable or AccessControl will already help.

2. Improve logic within the protocol to reduce chances of rug pull's. See vulnerabilities [H-1], [H-2] and [H-5] discussed above.

3. Use multisig wallets for address with high privileged roles. This reduces the chance of one actor abusing its powers.