Core Contracts

Relevant Links

Summary

Protocol owners can wind up locking themselves out of important parts of the protocol.

Vulnerability Details

RAACToken is an ownable contract with the following external functions:

• Has an onlyMinter modifier

• setMinter(...) external onlyOwner

• mint(...) external onlyMinter

• setFeeCollector(...) external onlyOwner

• setSwapTaxRate(...) external onlyOwner

• setBurnTaxRate(...) external onlyOwner

• setTaxRateIncrementLimit(...) external onlyOwner

• manageWhitelist(...) external onlyOwner

• transferOwnership(...) public virtual onlyOwner -> inherited from the Ownable contract

We can notice that, only the owner can set the minter and only the minter can mint RAACTokens.

RAACMinter contract is a non-upgradeable contract that is designated as the minter of RAACtoken, given it says it in the contract name as well as the fact that, it calls RAACToken.mint function. In addition to that, we can deduce as well that, the RAACMinter will be given the owner role of the RAACToken as evidenced by the fact that, there are methods in RAACMinter that call only owner protected methods in RAACToken. For example:
- setFeeCollector(...) external onlyRole(UPDATER_ROLE) : this function calls the setFeeCollector only owner protected method of RAACToken
- setSwapTaxRate
- setBurnTaxRate
The above methods can only be called by someone with the UPDATER_ROLE. This leads me to believe that, the protocol intends for RAACMinter to be both the admin and minter of RAACToken. The issue here is that, the moment the ownership of the RAACToken is transferred to the RAACMinter perhaps through an ownership transfer or set as the initial owner of the RAACToken through the constructor parameter, the protocol gets locked out of the following parts of the RAACToken:

1. There's no way for RAACMinter to transfer ownership of RAACToken to another address. This means, RAACMinter becomes the eternal owner of RAACToken.

2. RAACMinter being the current owner and minter of RAACToken can't transfer it's minter role to another address.

3. RAACMinter ( aka the owner of RAACToken ) is unable to update the taxRateIncrementLimit. That is, it can't call RAACToken::setTaxRateIncrementLimit

4. RAACMinter is unable to whitelist or "un-whitelist" addresses on RAACToken.

To what good is an admin if he himself ends up locked out of the protocol?

Impact

Protocol owners end up locked out of their own protocol. Unable to manage the whitelist of the protocol as well as taxRateIncrementLimit.

Tools Used

Manual review

Recommendations

Create a dedicated contract ( let's call it RAACOwner ) that calls all the owner related function and remove said functions from the RAACMinter contract.