# Owner can withdraw all contract balance **Description** The owner can call emergencyWithdraw function not to withdraw tokens that send to the contract mistakenly but to withdraw all contract balance. IronVest.sol line 478 **Recommendation** We recommend removing this function or add a variable that stores last deposit then limit the withdraw to this variable. # Owner can add another owner **Description** Owner can add another admin with grantRole function. Let's take a case that the owner said he renounced the ownership with his proper account. If he already called grantRole function without your knowing. He can get access to all owner features with the other account. AccessControlUpgradeable.sol line 150 **Recommendation** We recommend adding a require statement in grantRole function that checks if role argument is not DEFAULT_ADMIN_ROLE (0x00). safi hhhhhhhh