Summary

Critical functions lack proper access control, allowing unauthorized actors to manipulate protocol parameters.

Vulnerability Details

Functions like setAutoDeleveragingParams or updateDynamicCaps in MarketCreditBranch or CreditDelegationBranch may not enforce onlyOwner/onlyPerpsEngine modifiers.

Impact

Attackers could disable auto-deleveraging, set malicious caps, or drain funds.

Tools Used

Manual review, Slither (access control detector).

Recommendations

Use OpenZeppelin’s AccessControl to restrict critical functions to trusted roles (e.g., DEFAULT_ADMIN_ROLE).