Closed code423n4 closed 2 years ago
The bridges/swaps ecosystem is continually changing. This comes at the cost of having some degree of centralization. We chose the Diamond standard to be able to constantly add new bridges and update the existing ones as they improve and update.
Our team is currently focusing on creating a stable and trustworthy system as fast as possible. We agree with the increased safety a DAO/Multisign mechanism and will provide them in the future. Timelocks are currently not planned, as we want to be able to react fast if we have to disable bridges for security reasons (e.g. if the underlying bridge is being exploited)
Duplicate of #65
Lines of code
https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/CBridgeFacet.sol#L45
Vulnerability details
Impact
Owner can stop all bridge functionality with the changing cBridge contract address with the zero. The centralized structure can cause to pause all operations.
Proof of Concept
https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/CBridgeFacet.sol#L45
Tools Used
Code Review
Recommended Mitigation Steps
It is recommended to place necessary checks like zero address check and others. Put critical changes behind the timelock.