The absence of multisig protection and a timelock mechanism for the ORACLE_ADMIN role poses significant risks, including the potential for price feed manipulation, rapid and unpredictable changes to price feeds, loss of trust and participation, and difficulty in recovery from errors or malicious actions.
Proof of Concept
The RoleManager contract in the Renzo protocol lacks multisig protection and a timelock mechanism for the ORACLE_ADMIN role at RoleManager::isOracleAdmin function. This role is critical for setting price feed oracles for ERC20 tokens, which are fundamental to the protocol's operations, including trading, liquidity provision, and other financial activities.
The issue was identified in the RoleManager contract, specifically at this line: RoleManager.sol#L51. This line of code does not include any multisig protection or timelock mechanism for the ORACLE_ADMIN role, which allows the admin to set price feed oracles for ERC20 tokens without any checks or delays.
A scenario illustrating the impact could be a situation where a malicious ORACLE_ADMIN manipulates the price feed for a popular ERC20 token, leading to incorrect pricing information. This manipulation could disrupt trading, affect liquidity provision, and potentially lead to financial losses for users and participants in the protocol.
Tools Used
Manual review of the contract code using VSCode.
Recommended Mitigation Steps
To mitigate the risk of a single compromised or malicious ORACLE_ADMIN, implement multisig protection. This requires defining a new role, such as MULTISIG_APPROVER_ROLE, and modifying the contract to require approval from multiple addresses before allowing changes to the ORACLE_ADMIN role.
To prevent rapid and unchecked changes to the ORACLE_ADMIN role, implement a timelock mechanism. This requires integrating with an external timelock contract that allows scheduling actions to be executed after a certain delay.
Lines of code
https://github.com/code-423n4/2024-04-renzo/blob/1c7cc4e632564349b204b4b5e5f494c9b0bc631d/contracts/Permissions/RoleManager.sol#L51
Vulnerability details
Impact
The absence of multisig protection and a timelock mechanism for the
ORACLE_ADMIN
role poses significant risks, including the potential for price feed manipulation, rapid and unpredictable changes to price feeds, loss of trust and participation, and difficulty in recovery from errors or malicious actions.Proof of Concept
The
RoleManager
contract in the Renzo protocol lacks multisig protection and a timelock mechanism for theORACLE_ADMIN
role atRoleManager::isOracleAdmin
function. This role is critical for setting price feed oracles for ERC20 tokens, which are fundamental to the protocol's operations, including trading, liquidity provision, and other financial activities.The issue was identified in the
RoleManager
contract, specifically at this line: RoleManager.sol#L51. This line of code does not include any multisig protection or timelock mechanism for theORACLE_ADMIN
role, which allows the admin to set price feed oracles for ERC20 tokens without any checks or delays.A scenario illustrating the impact could be a situation where a malicious
ORACLE_ADMIN
manipulates the price feed for a popular ERC20 token, leading to incorrect pricing information. This manipulation could disrupt trading, affect liquidity provision, and potentially lead to financial losses for users and participants in the protocol.Tools Used
Manual review of the contract code using VSCode.
Recommended Mitigation Steps
To mitigate the risk of a single compromised or malicious
ORACLE_ADMIN
, implement multisig protection. This requires defining a new role, such asMULTISIG_APPROVER_ROLE
, and modifying the contract to require approval from multiple addresses before allowing changes to theORACLE_ADMIN
role.To prevent rapid and unchecked changes to the
ORACLE_ADMIN
role, implement a timelock mechanism. This requires integrating with an external timelock contract that allows scheduling actions to be executed after a certain delay.Assessed type
Access Control