CS Note 8.12: Zapper Remove Manager Requires Increased Trust

[bingen]

The zappers implement the same delegation scheme as the core system. There is a removeManager and a receiver, that can be set to different addresses. In the core system, the removeManager cannot directly profit or cause losses by making malicious changes, because the receiver will receive the funds.

In the zappers, the removeManager can directly profit and cause losses by making malicious changes, because they can decide the parameters of the swaps made in the leverage functions. Swapping at bad exchange rates (and sandwiching those swaps) can cause losses to the owner of the trove.

As a result, the trust required in a removeManager that is not also the receiver is higher in the zapper than in the core system.

[bingen]

This is a natural consequence of the increased power (perform swaps) that Leverage Zappers have.