(1/5) I was pretty excited to play around with the @ProjectSerum ERC20 deposit feature, but after digging into the smart contract code, I found it left a lot to be desired from a decentralization standpoint

(2/5) After using it to deposit an ERC20 token, I found the Ethereum contract behind it: https://etherscan.io/address/0xeae57ce9cc1984f202e15e038b964bb8bdf7229a
(3/5) My biggest concern is that it seems that the contract owner has the ability to withdraw any amount of ERC20 token or ETH stored in the contract.
(4/5) The owner appears to be just a normal EOA: https://etherscan.io/address/0x067d382e61c06cea2815069d9d97fd3ee5df2361, so whoever controls that address can drain the contract -- ~$6M in funds at this time.
(5/5) It also seems for someone to withdraw tokens they put into the contract, they need a signature from the contract owner as well--again, a great deal of power vested in the EOA owner.