Closed c4-bot-5 closed 4 months ago
This is by design and highlights a centralisation risk, which is known and also Out of Scope. We consider this issue invalid.
saxenism (sponsor) disputed
Similarly to #11, I cannot consider this exhibit as a valid submission based on the fact that a submission in a past contest has been properly consumed by the Sponsor's team and they do not intend to perform any follow-up alleviations, considering the present behavior correct.
alex-ppg marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2024-03-zksync/blob/4f0ba34f34a864c354c7e8c47643ed8f4a250e13/code/contracts/ethereum/contracts/governance/Governance.sol#L1
Vulnerability details
Proof of Concept
In the current governance setup, specific actions are designated to governance actors, including the owner and the security council. These actions encompass a range of capabilities such as
cancel
,execute
,executeInstant
,scheduleTransparent
, andscheduleShadow
. Notably, the governance contract's design allows for self-calling throughexecute
andexecuteInstant
, extending additional privileges to the owner for functions likeupdateSecurityCouncil
andupdateDelay
.Now as explained by this bug report, the implications of this setup leads to two deadlock scenarios:
scheduleTransparent
orscheduleShadow
is jeopardized, effectively halting future upgrades since the owner is the sole proposer.cancel
function to obstruct all owner-initiated upgrades. This blockade extends to critical governance changes such as the security council's update, given the owner's inability to utilizeexecuteInstant
and the expected nonzero proposal delay.These vulnerabilities indicate that a single compromise can disrupt the entire governance process.
Now it's been stated that
unfixed
issues from the past contest are OOS for this contest, but that's not the case for this report since we are proving how the fix applied by protocol does not actually mitgates the issue, this is cause protocol have applied the "fixes" , as confirmed by the commit with the currentGovernance.sol
, but erroneously does not fix the whole thing and only removed the security council's access tocancel()
.Impact
The governance framework remains susceptible to deadlock scenarios following a compromise of key actors. In this case if the owner's keys get compromised then it's automatically impossible for anyone to schedule any upgrades since they are the only ones that have access to this function.
Recommended Mitigation Steps
As previously suggested, enforce a minimum delay for upgrades, that way there is an insurance of sufficient time for response actions by stakeholders, before
updateDelay()
goes through.Assessed type
Access Control