Lack of setter function for potential shutdowned contract

[hats-bug-reporter[bot]]

Github username: -- Twitter username: -- Submission hash (on-chain): 0x3e48b630f53a601ad6e8a14d674408c07de5a0b7d0c9cb440825ed60d787c020 Severity: low

Description: Description\

In CvxConvergenceLocker there is a constant variable CVX_LOCKER

    ICvxLocker public constant CVX_LOCKER = ICvxLocker(0x72a19342e8F1838460eBFCCEf09F6585e32db86E);

At first we might assume this address like any convergence constant contract address, is using proxy. But this CVX_LOCKER is not a proxy, so if there is any change it need to be redeploy.

Looking inside the contract, there is a function to shutdown Vote Locked Convex Token (vlCVX) https://etherscan.io/address/0x72a19342e8F1838460eBFCCEf09F6585e32db86E#code#L1146

    //shutdown the contract. unstake all tokens. release all locks
    function shutdown() external onlyOwner {
        if (stakingProxy != address(0)) {
            uint256 stakeBalance = IStakingProxy(stakingProxy).getBalance();
            IStakingProxy(stakingProxy).withdraw(stakeBalance);
        }
        isShutdown = true;
    }

this imply if the contract being shutdown it can't be revive again, or revert back the shutdown status. When there will be another version of contract deployed, if the function signature is still the same, CvxConvergenceLocker might be unable to update this to the new address.

currently there are several setters exist in the CvxConvergenceLocker contract:

• setCvxDelegateRegistry
• setCvxStakingPositionService
• setMintFees
• setRewardTokensConfiguration

This similar shutdown issue occure also in staking wrapper.

Attack Scenario\

Attachments

1. Proof of Concept (PoC) File

2. Revised Code File (Optional)

Recommendation

Consider to add set the CVX_LOCKER in case there will be an shutdown and update to a new contract

[PlamenTSV]

CvxConvergenceLocker is upgradable.