PoolTogether

PoolTogether's protocol is upgradeable via a 2-of-N multisig admin contract with no timelock. The key is capable of modifying critical parts of the smart contract ecosystem and can be used to drain funds if used maliciously.

Is the security of user funds dependent on opsec of admin key?

Yes ⚠️

Current Admin Key Config

Timelock: None ⚠️ Multisig: 2-of-N (Gnosis multisig contract)

Claimed Admin Key OpSec

None

Verified Admin Key OpSec

Unverifiable ⚠️

Admin Key Address

https://etherscan.io/address/0x98ea2d8438f70ce876c2db26fc494cfed10b4cd7

More Info & Documentation

Open Zeppelin Audit Disclosures Open Zeppelin Audit Summary