Contract Owner Privileges

Developer Response to the Certik audit and RugDoc review

The contracts below do not utilize upgradeable proxies unless otherwise stated.

AddyStakingRewards.sol

  • Centralization risk of migrate/migrateLockedStakefunction

  • Third-party IMigrator(migrator).migrate() dependencies

Reasoning for having that function:

  • If the functionality ofMultiFeeDistribution is ever changed, that would require a full ADDY token migration since that contract owns the ADDY token contract. Users would need the ability to migrate their locked liquidity positions from the old ADDY token to the new ADDY token.

  • If the platform hosting the ADDY/WETH pool is changed, that would also require liquidity to be migrated to the new platform (i.e. moving from Uniswap v2 to Uniswap v3).

The migrateLockedStakefunction requires the owner of each locked stake to manually authorize the migration of their stake to the new contract, unlike Pancake Swap's infamous migratefunction, which migrates all funds in the contract.

Minter.sol

  • Centralized Risk

  • Privileged ownership of addyPerProfitEth

These owner privilege issues are currently addressed by the minter contract being owned by a timelock contract.

Arbitrum note: Due to the rapid pace at which new vaults will be added for Arbitrum for the next few days, Arbitrum's minter contract currently isn't timelocked.

Reasoning for having those functions:

  • The developer will need to grant minting privileges to new vaults on a regular basis.

  • The developer will eventually need to change the price calculator contract in order to implement other suggested changes in the audit.

  • The developer will reduce the ADDY emission rate over time.

StrategyBase.sol

  • Owner can withdraw tokens except wantToken (the LP token that users deposit) and harvestedToken from the contract. The gauge (deposit receipt) token is also restricted for pools that have such tokens (i.e. Curve).

Reasoning for having that function:

  • Certain special vaults like the PUSD stability pool vault utilized an external contract to hold and convert "special" payments that the normal vault code does not account for, such as MATIC payments from Polyquity's stability pool after a liquidation. During a large downward price movement, the PUSD stability pool vault received over 900k MATIC worth of liquidation payments, which required the developer to withdraw it to an external contract and convert it to PUSD over the course of multiple days in order to avoid getting "rekt" by slippage.

VaultBase.sol/GenericVault.sol

  • Owner can change the early withdrawal penalty time (up to 30 days)

  • Owner can change the reward multiplier (up to 10x, reduced to 3x for newer vaults)

  • Owner can change the early withdrawal penalty (5%, reduced to 0.5% for newer vaults)

    • The Emergency Withdraw function is only meant to be used if there is an error with reward calculation that breaks the contract. Therefore, it is also affected by the early withdraw penalty and early withdrawal penalty time in order to prevent stakers from claiming rewards and then calling that function to bypass the early withdrawal penalty.

ERCFund.sol

  • Privileged ownership of recover

Reasoning for having that function:

  • The Converter contract owns the ERCFund contract. It uses the recoverfunction to transfer tokens to it, then performs various functions such as:

    • Breaking up LP tokens.

    • Converting tokens to WMATIC before sending it to the fee distribution contract.

    • Executing ADDY buybacks.