Mantle Market Admin Migration Review

Summary

Timeline: From 2025-01-17 To 2025-01-20

Total Issues: 1 (1 resolved)

Medium Severity Issues: 1 (1 resolved)

Scope

This review aims to analyze the migration being carried out by DoDAO to implement the Market Admin on the Mantle network.

We audited the enact migration log and the migration script in PR #1 at commit a5a5f51.

Migration Review

We reviewed the Market Admin migration for the Mantle network. During the migration review, we analyzed the following aspects:

  1. Migration Call Sequence: The migration follows the expected sequence, updating the Configurator to the new implementation and all Comet market contracts on Mantle to operate under the new CometProxyAdmin.

  2. Contract Address Consistency: Each contract’s address, including the CometProxyAdmin, Configurator, MarketAdminPermissionChecker, MarketUpdateTimelock, and MarketUpdateProposer contracts, was verified against the migration plan to ensure that the addresses were correct and consistent with our expectations.

  3. Code Integrity Check: We compared the deployed code for each new contract with the previously audited version to ensure that no unauthorized changes were introduced. This step was crucial to confirm that no new vulnerabilities were inadvertently introduced during deployment.

  4. Contract State Configuration: The initial state of each newly deployed contract was reviewed to ensure correct setup according to the migration plan. This included verifying that the ownership, permissions, and specific configuration variables such as marketAdmin, pauseGuardian, and proposalGuardian were set appropriately. We also verified that the ownership of the deployed contracts is correctly transferred to the current Timelock, making it impossible for further changes to the state before the Market Admin governance path goes live.

  5. Simulated Testing: To verify contract functionality and expected behavior, we conducted simulated tests. These simulations checked that the contracts, specifically MarketUpdateProposer and MarketUpdateTimelock, responded accurately to proposals, affirming that the governance changes were working as designed.

Privileged Multisig Accounts

Two privileged accounts using Safe multisig wallets were configured to interact with the MarketUpdateProposer and MarketAdminPermissionChecker contracts:

The security model depends on the integrity and reliability of the above-listed multisig wallets, assuming that these accounts belong to independent and trustworthy entities with aligned interests in maintaining the security and stability of the Compound ecosystem. In case these two accounts collude against the protocol, they can harm the protocol through misconfiguration of the markets (e.g., reducing the collateral factor can lead to liquidation of valid positions).

The protocol’s monitoring should begin immediately. If the marketAdmin submits a proposal before the new governance path goes live, they could execute it as soon as the path becomes active, effectively bypassing the built-in timelock delay on the market admin path. Therefore, the community should start monitoring the market admin’s actions right away.

Medium Severity

Incorrect CrossDomainMessenger Used in Migration Script

The migration script designed for updating the market admin on the Mantle network currently utilizes the opL1CrossDomainMessenger from Optimism. This introduces an inconsistency since the migration is intended for the Mantle network, which requires the use of mantleL1CrossDomainMessenger. Using the incorrect messenger could lead to failures in cross-domain message delivery, resulting in an unsuccessful migration.

Consider replacing the opL1CrossDomainMessenger with mantleL1CrossDomainMessenger in the migration script. This change will help ensure compatibility with the Mantle network and proper execution of cross-domain messaging.

Update: Resolved in pull request #1 at commit 9519774.

Conclusion

OpenZeppelin has reviewed the migration scripts and confirmed that they are functioning correctly, with the contracts being deployed and initialized successfully. One issue was identified concerning the use of an incorrect CrossDomainMessenger. Other than that, everything was accurate.

We strongly encourage the community to begin monitoring the market admin immediately, as they can start submitting proposals to the market admin timelock right away.