When critical parameters of systems need to be changed, it is required to broadcast the change via event emission and recommended to enforce the changes after a time-delay. This is to allow system users to be aware of such critical changes and give them an opportunity to exit or adjust their engagement with the system accordingly. None of the onlyOwner functions that change critical protocol addresses/parameters have a timelock for a time-delayed change to alert: (1) users and give them a chance to engage/exit protocol if they are not agreeable to the changes (2) team in case of compromised owner(s) and give them a chance to perform incident response.
Instances number of this issue: 12
// gateway/GraphTokenGateway.sol
30: function setPauseGuardian(address _newPauseGuardian) external onlyGovernor {
// gateway/L1GraphTokenGateway.sol
109: function setArbitrumAddresses(address _inbox, address _l1Router) external onlyGovernor {
121: function setL2TokenAddress(address _l2GRT) external onlyGovernor {
131: function setL2CounterpartAddress(address _l2Counterpart) external onlyGovernor {
141: function setEscrowAddress(address _escrow) external onlyGovernor {
// governance/Managed.sol
95: function setController(address _controller) external onlyController {
// l2/gateway/L2GraphTokenGateway.sol
97: function setL2Router(address _l2Router) external onlyGovernor {
107: function setL1TokenAddress(address _l1GRT) external onlyGovernor {
117: function setL1CounterpartAddress(address _l1Counterpart) external onlyGovernor {
// l2/token/L2GraphToken.sol
59: function setGateway(address _gw) external onlyGovernor {
69: function setL1Address(address _addr) external onlyGovernor {
// upgrades/GraphProxy.sol
104: function setAdmin(address _newAdmin) external ifAdmin {
Suggestion:
Users may be surprised when critical parameters are changed. Furthermore, it can erode users' trust since they can’t be sure the protocol rules won’t be changed later on. Compromised owner keys may be used to change protocol addresses/parameters to benefit attackers. Without a time-delay, authorized owners have no time for any planned incident response. (May be medium since owner can change critical parameters at anytime that can affect the users poorly).
Use a more recent version of solidity
Use a solidity version of at least 0.8.0 to get arithmetic checks.
Use a solidity version of at least 0.8.4 to get custom errors, which are cheaper at deployment than revert()/require() strings.
Use a solidity version of at least 0.8.10 to have external calls skip contract existence checks if the external call has a return value.
Use a solidity version of at least 0.8.16 to have fix data corruption that affected ABI-encoding of calldata values represented by tuples: structs at any nesting level; argument lists of external functions, events and errors; return value lists of external functions. The 32 leading bytes of the first dynamically-encoded value in the tuple would get zeroed when the last component contained a statically-encoded array.
Apart from these, there are several minor bug fixes and improvements.
Description: Using very old versions of Solidity prevents benefits of bug fixes and newer security checks. Using the latest versions might make contracts susceptible to undiscovered compiler bugs.
Suggestion: Consider using the most recent version.
Avoid floating pragmas: the version should be locked
The pragma declared across the contracts is ^0.7.6. Locking the pragma (for e.g. by not using ^ in pragma solidity 0.7.6) ensures that contracts do not accidentally get deployed using an older compiler version with unfixed bugs. (see here)
Description: Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.
Missing Time locks
When critical parameters of systems need to be changed, it is required to broadcast the change via event emission and recommended to enforce the changes after a time-delay. This is to allow system users to be aware of such critical changes and give them an opportunity to exit or adjust their engagement with the system accordingly. None of the onlyOwner functions that change critical protocol addresses/parameters have a timelock for a time-delayed change to alert: (1) users and give them a chance to engage/exit protocol if they are not agreeable to the changes (2) team in case of compromised owner(s) and give them a chance to perform incident response.
Instances number of this issue: 12
Suggestion: Users may be surprised when critical parameters are changed. Furthermore, it can erode users' trust since they can’t be sure the protocol rules won’t be changed later on. Compromised owner keys may be used to change protocol addresses/parameters to benefit attackers. Without a time-delay, authorized owners have no time for any planned incident response. (May be medium since owner can change critical parameters at anytime that can affect the users poorly).
Use a more recent version of solidity
Use a solidity version of at least 0.8.0 to get arithmetic checks.
Use a solidity version of at least 0.8.4 to get custom errors, which are cheaper at deployment than
revert()/require()strings.Use a solidity version of at least 0.8.10 to have external calls skip contract existence checks if the external call has a return value.
Use a solidity version of at least 0.8.16 to have fix data corruption that affected ABI-encoding of calldata values represented by tuples: structs at any nesting level; argument lists of external functions, events and errors; return value lists of external functions. The 32 leading bytes of the first dynamically-encoded value in the tuple would get zeroed when the last component contained a statically-encoded array. Apart from these, there are several minor bug fixes and improvements.
Description: Using very old versions of Solidity prevents benefits of bug fixes and newer security checks. Using the latest versions might make contracts susceptible to undiscovered compiler bugs.
Suggestion: Consider using the most recent version.
Avoid floating pragmas: the version should be locked
The pragma declared across the contracts is ^0.7.6. Locking the pragma (for e.g. by not using ^ in pragma solidity 0.7.6) ensures that contracts do not accidentally get deployed using an older compiler version with unfixed bugs. (see here)
Description: Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.
Suggestion: Consider locking the pragma version.