Summary
Timeline: From 2025-01-17 To 2025-01-20
Total Issues: 1 (1 resolved)
Medium Severity Issues: 1 (1 resolved)
Scope
This review aims to analyze the migration being carried out by DoDAO to implement the Market Admin on the Mantle network.
We audited the enact migration log and the migration script in PR #1 at commit a5a5f51.
Migration Review
We reviewed the Market Admin migration for the Mantle network. During the migration review, we analyzed the following aspects:
-
Migration Call Sequence: The migration follows the expected sequence, updating the
Configurator
to the new implementation and all Comet market contracts on Mantle to operate under the newCometProxyAdmin
. -
Contract Address Consistency: Each contract’s address, including the
CometProxyAdmin
,Configurator
,MarketAdminPermissionChecker
,MarketUpdateTimelock
, andMarketUpdateProposer
contracts, was verified against the migration plan to ensure that the addresses were correct and consistent with our expectations. -
Code Integrity Check: We compared the deployed code for each new contract with the previously audited version to ensure that no unauthorized changes were introduced. This step was crucial to confirm that no new vulnerabilities were inadvertently introduced during deployment.
-
Contract State Configuration: The initial state of each newly deployed contract was reviewed to ensure correct setup according to the migration plan. This included verifying that the ownership, permissions, and specific configuration variables such as
marketAdmin
,pauseGuardian
, andproposalGuardian
were set appropriately. We also verified that the ownership of the deployed contracts is correctly transferred to the current Timelock, making it impossible for further changes to the state before the Market Admin governance path goes live. -
Simulated Testing: To verify contract functionality and expected behavior, we conducted simulated tests. These simulations checked that the contracts, specifically
MarketUpdateProposer
andMarketUpdateTimelock
, responded accurately to proposals, affirming that the governance changes were working as designed.
Privileged Multisig Accounts
Two privileged accounts using Safe multisig wallets were configured to interact with the MarketUpdateProposer
and MarketAdminPermissionChecker
contracts:
-
Guardian Account: Set as the
pauseGuardian
inMarketAdminPermissionChecker
which can cut off the access of themarketAdmin
to the protocol. It is also set asproposalGuardian
within theMarketUpdateProposer
which allows the guardian wallet to cancel any proposals sent by themarketAdmin
. The Safe multisig wallet for this account, at address 0x2127338F0ff71Ecc779dce407D95C7D32f7C5F45, operates with a threshold of 4 out of 8 owners:- 0xd2A79F263eC55DBC7B724eCc20FC7448D4795a0C
- 0x2C96F0403eabC1F11FE737566dEDB183A019763B
- 0x3FB19771947072629C8EEE7995a2eF23B72d4C8A
- 0xC3AaE58Ab81663872dd36d73613eb295b167F546
- 0xDD659911EcBD4458db07Ee7cDdeC79bf8F859AbC
- 0x7e4A8391C728fEd9069B2962699AB416628B19Fa
- 0x2B384212EDc04Ae8bB41738D05BA20E33277bf33
- 0x54A37d93E57c5DA659F508069Cf65A381b61E189
-
MarketAdmin Account: Defined within
MarketUpdateProposer
, this account has privileges to submit new proposals to theMarketUpdateProposer
. The Safe multisig wallet for this account, at address 0x7e14050080306cd36b47DE61ce604b3a1EC70c4e, operates with a threshold of 2 out of the following 4 owners:
The security model depends on the integrity and reliability of the above-listed multisig wallets, assuming that these accounts belong to independent and trustworthy entities with aligned interests in maintaining the security and stability of the Compound ecosystem. In case these two accounts collude against the protocol, they can harm the protocol through misconfiguration of the markets (e.g., reducing the collateral factor can lead to liquidation of valid positions).
The protocol’s monitoring should begin immediately. If the marketAdmin
submits a proposal before the new governance path goes live, they could execute it as soon as the path becomes active, effectively bypassing the built-in timelock delay on the market admin path. Therefore, the community should start monitoring the market admin’s actions right away.
Medium Severity
Incorrect CrossDomainMessenger
Used in Migration Script
The migration script designed for updating the market admin on the Mantle network currently utilizes the opL1CrossDomainMessenger
from Optimism. This introduces an inconsistency since the migration is intended for the Mantle network, which requires the use of mantleL1CrossDomainMessenger
. Using the incorrect messenger could lead to failures in cross-domain message delivery, resulting in an unsuccessful migration.
Consider replacing the opL1CrossDomainMessenger
with mantleL1CrossDomainMessenger
in the migration script. This change will help ensure compatibility with the Mantle network and proper execution of cross-domain messaging.
Update: Resolved in pull request #1 at commit 9519774
.
Conclusion
OpenZeppelin has reviewed the migration scripts and confirmed that they are functioning correctly, with the contracts being deployed and initialized successfully. One issue was identified concerning the use of an incorrect CrossDomainMessenger
. Other than that, everything was accurate.
We strongly encourage the community to begin monitoring the market admin immediately, as they can start submitting proposals to the market admin timelock right away.