Optimism Market Admin Migration Review

Summary

Timeline: From 2024-11-11 To 2024-11-12

Total Issues: 0 (0 resolved)

Scope

We reviewed the calldata generated by the Optimism migration script in PR#1 at the 607ce91 commit.

Migration review

We reviewed the Market Admin migration for the Optimism network. During the migration review, we analyzed the following aspects:

  1. Migration Call Sequence: The migration follows the expected sequence, updating the Configurator to the new implementation and all Comet market contracts on Optimism to operate under the new CometProxyAdmin.

  2. Contract Address Consistency: Each contract’s address, including CometProxyAdmin, Configurator, MarketAdminPermissionChecker, MarketUpdateTimelock, and MarketUpdateProposer, was verified against the migration plan to ensure the addresses were correct and consistent with our expectations.

  3. Code Integrity Check: We compared the deployed code for each new contract with the previously audited version to ensure no unauthorized changes were introduced. This step was crucial to confirm that no new vulnerabilities were inadvertently introduced during deployment.

  4. Contract State Configuration: The initial state of each newly deployed contract was reviewed to ensure correct setup according to the migration plan. This included verifying that the ownership, permissions, and specific configuration variables such as marketAdmin, pauseGuardian, and proposalGuardian were set appropriately. We also verified that the ownership of the deployed contracts are correctly transferred to the current Timelock, making it impossible for further changes to state before the Market Admin governance path is live.

  5. Simulated Testing: To verify contract functionality and expected behavior, we conducted simulated tests. These simulations checked that the contracts, specifically MarketUpdateProposer and MarketUpdateTimelock, responded accurately to proposals, affirming that the governance changes were working as designed.

After this comprehensive analysis, we confirm that the migration on the Optimism network executes as expected, with all contract addresses, permissions, and state configurations matching the pre-audited specifications. The deployment aligns with the intended security model, with no discrepancies or issues identified.

Privileged Multisig Accounts

Two privileged accounts using Safe multisig wallets were configured to interact with the MarketUpdateProposer and MarketAdminPermissionChecker contracts:

The security model depends on the integrity and reliability of these multisig wallets, assuming that these addresses belong to independent and trustworthy entities with aligned interests in maintaining the security and stability of the Compound ecosystem. In case these two addresses collude against the protocol, they can harm the protocol through misconfiguration of the markets (e.g. reducing collateral factor can lead to liquidation of valid positions).

The protocol’s monitoring should begin immediately. If the marketAdmin submits a proposal before the new governance path is live, they could execute it as soon as the path becomes active, effectively bypassing the built-in timelock delay on the market admin path. Therefore, the community should start monitoring the market admin’s actions right away.

Conclusion

Our team at OpenZeppelin has reviewed the migration scripts and confirmed they are functioning correctly, with the contracts deployed successfully and correctly initialized. We strongly encourage the community to begin monitoring the market admin immediately, as they can start submitting proposals to the market admin timelock right away.