Using the burn() function of L2LivepeerToken, an address with BURNER_ROLE can burn an arbitrary amount of tokens from any address.
We believe this is unnecessary and poses a serious centralization risk.
A malicious or compromised BURNER_ROLE address can take advantage of this, burn the balance of a Uniswap pool and effectively steal almost all the funds from the liquidity pool (eg, Uniswap LPT-WETH Pool).
Recommendation
Consider removing the BURNER_ROLE and change burn() function to:
Handle
WatchPug
Vulnerability details
https://github.com/livepeer/arbitrum-lpt-bridge/blob/ebf68d11879c2798c5ec0735411b08d0bea4f287/contracts/L2/token/LivepeerToken.sol#L36-L43
Using the
burn()
function ofL2LivepeerToken
, an address withBURNER_ROLE
can burn an arbitrary amount of tokens from any address.We believe this is unnecessary and poses a serious centralization risk.
A malicious or compromised
BURNER_ROLE
address can take advantage of this, burn the balance of a Uniswap pool and effectively steal almost all the funds from the liquidity pool (eg, Uniswap LPT-WETH Pool).Recommendation
Consider removing the
BURNER_ROLE
and changeburn()
function to:https://github.com/livepeer/arbitrum-lpt-bridge/blob/49cf5401b0514511675d781a1e29d6b0325cfe88/contracts/L2/gateway/L2LPTGateway.sol#L34-L45
Mintable(l2Lpt).burn(from, _amount);
inL2LPTGateway.sol#outboundTransfer()
should also be replaced with: