Certain contracts have state variables, e.g. `owner`, which provide certain addresses with privileged roles. Such roles may pose a risk to end-users. For a detailed list of roles per contract see the following list: The owner of the `MultiSourceLoan` contract has access to: 1. `setDelegateRegistry()` to update the delegate registry 2. `setMaxSources()` to update the total number of sources a loan's principal can be partitioned in. 3. `updateRefinanceInterestFraction()` to update the percentual share of how much of the delta of a refinanced source the original lender is entitled to in case of loan repayment and renegotiations. 4. `setFlashActionContract()` to update the address that a borrower can execute flash loans with when their asset is locked as collateral. 5. Via inheritance of the abstract `WithCallbacks` contract, the `MultiSourceLoan` contract furthermore has access to:
a) `addWhitelistedCallbackContract()` and `removeWhitelistedCallbackContract()` to maintain the list of whitelisted callback contract instances that can reenter after the execution of callback hooks. 7. Via inheritance of the abstract `BaseLoan` contract, the `MultiSourceLoan` contract furthermore has access to:
b) `updateProtocolFee()` and `setProtocolFee()`, offering a two-step update mechanism to overwrite the protocol fee deducted at various places in the protocol.
c) `updateLiquidationContract()` to update the contract to use for liquidations. Overwriting this contract with incorrect values could cause the loss of all collateral of defaulted loans.
d) `updateLiquidationAuctionDuration()` to update the base duration of the auction outside of the quiet-ending mechanic.

The owner of the `AuctionLoanLiquidator` contract has access to: 1. `addLoanContract()` and `removeLoanContract()` that maintains a list of approved loan contracts that this contract can perform liquidations for. 2. `updateTriggerFee()`, which enables the liquidator to specify the fees transferred to the initiators and finalizers of the liquidation process, with an upper bound of 0.5% for both.

The owner of the `AddressManager` contract has access to: 1. `add()`, `addtoWhiteList()`, `removeFromWhitelist()`, which maintains a list of whitelisted addresses. It is leveraged to maintain a whitelist of ERC20 tokens approved for principal/payments and a whitelist of ERC721 token addresses approved as collateral. The `Leverage` contract also maintains a list of the approved external marketplaces that can be used in loans emitted together with hooks.

The owner of the `Leverage` contract has access to: 1. `updateMultiSourceLoanAddressFirst()` and `finalUpdateMultiSourceLoanAddress()`, offering a two-step update mechanism to overwrite the address able to access the hook functions. 2. `updateSeaportAddressFirst()` and `finalUpdateSeaportAddress()`, offering a two-step update mechanism to update the `_seaport` address that can be used in external hooks.