Creamy Tan Kitten
High
Because the governance role is centralized and responsible for critical functionalities, it constitutes a single point of failure within the Hats Protocol.
The role can perform the following privileged operations: ● Whitelisting a perpetual market ● Setting economic parameters ● Updating price oracle addresses and setting fixed prices for assets ● Managing protocol insurance funds ● Updating the addresses of core contracts ● Adding support for new reserve tokens to the UA contract ● Pausing and unpausing protocol operations These privileges give governance complete control over the protocol and therefore access to user and protocol funds. This increases the likelihood that the governance account will be targeted by an attacker and incentivizes governance to act maliciously. Note, though, that the governance role is currently controlled by a multisignature wallet (a multisig) and that control may be transferred to a decentralized autonomous organization (DAO) in the future.
Eve, an attacker, creates a fake token, compromises the governance account, and adds the fake token as a reserve token for UA. She mints UA by making a deposit of the fake token and then burns the newly acquired UA tokens, which enables her to withdraw all USDC from the reserves.
The Governance control lies in the hand of the signer.
Manual Review
Short term, minimize the privileges of the governance role and update the documentation to include the implications of those privileges. Additionally, implement reasonable time delays for privileged operations. Long term, document an incident response plan and ensure that the private keys for the multisig are managed safely. Additionally, carefully evaluate the risks of moving from a multisig to a DAO and consider whether the move is necessary.