yondonfu
commented
2 years ago Severity: 1 (Low)
Events related, but bumping to 1 because of the point about the use of a timelock - in practice, a Governor contract will be used to queue updates to be executed with a delay if needed.
Handle
cccz
Vulnerability details
Impact
Same as https://github.com/code-423n4/2021-09-swivel-findings/issues/101 and https://github.com/code-423n4/2021-11-overlay-findings/issues/120
Only* functions that change critical contract parameters/addresses/state should emit events and consider adding timelocks so that users and other privileged roles can detect upcoming changes (by offchain monitoring of events) and have the time to react to them
Proof of Concept
https://github.com/livepeer/arbitrum-lpt-bridge/blob/main/contracts/L2/gateway/L2LPTDataCache.sol#L29-L39
https://github.com/livepeer/arbitrum-lpt-bridge/blob/main/contracts/L2/gateway/L2LPTGateway.sol#L48-L53
https://github.com/livepeer/arbitrum-lpt-bridge/blob/main/contracts/L2/gateway/L2Migrator.sol#L97-L102
https://github.com/livepeer/arbitrum-lpt-bridge/blob/main/contracts/L2/gateway/L2Migrator.sol#L108-L113
https://github.com/livepeer/arbitrum-lpt-bridge/blob/main/contracts/L1/gateway/L1LPTGateway.sol#L51-L56
https://github.com/livepeer/arbitrum-lpt-bridge/blob/main/contracts/L1/gateway/L1LPTGateway.sol#L63-L65
https://github.com/livepeer/protocol/blob/streamflow/contracts/token/BridgeMinter.sol#L45-L122
Tools Used
Manual analysis
Recommended Mitigation Steps
Consider using a timelock for critical params of the system and emitting events to inform the outside world.