Proposal 414 Review

jbass-oz · March 10, 2025, 5:48pm

Summary

Timeline: From 2025-03-10 To 2025-03-10

Total Issues: 1 (0 resolved)

High Severity Issues: 1 (0 resolved)

Scope

OpenZeppelin has reviewed Compound Governance Proposal #414, submitted by FranklinDAO. The proposal aims to initialize a Compound WETH Market on the Ronin network.

No migration enactment calldata was available for comparison as the workflow simulation did not successfully complete at the time of the migration review. In addition, when evaluating the state of the networks involved at the time of proposal, a potential attack vector was identified which is made possible by the CCIP cross-chain implementation within the Ronin Bridge Receiver for old deployer addresses not under the control of the Compound DAO.

Forum posts:

Cross-chain Actions

The cross-chain calldata of the proposal decodes into a cross chain message to the Bridge Receiver on the Ronin network which, in turn, evaluates into the below actions:

Call to setConfiguration of the WETH Comet Market on the Ronin network.
Call to deployAndUpgradeTo the updated WETH Comet Market

Proposal Analysis

Proposal 414 was reviewed with the following results:

Proposal simulation passed
Proposal calldata is correct
Proposal recommendations are accurate

High Severity

Source Chain Not Validated For Cross-Chain Messaging

The Ronin Bridge Receiver is responsible for receiving messages from the Compound Timelock contract on Mainnet. It relies on Chainlink’s CCIP protocol for this cross-chain communication. Upon receiving a message via the CCIP Router the Bridge Receiver validates that the message sender is the Timelock address.

The Bridge Receiver does not validate the source chain of the incoming message. As mentioned in the CCIP documents, it is best practice to ensure ccipReceive validates the source chain of the incoming message. This is to prevent the same address on other networks (which may not have the same bytecode) from sending messages to the recipient contract via CCIP.

It is theoretically possible for the Compound Deployer 1 EOA to deploy a malicious contract on the Base network at the same address as the Timelock contract on Mainnet Ethereum. The Base network has an allowed on-ramp for CCIP messages as can be seen here. More networks may be added in the future. This would allow for arbitrary proposal submission to the Ronin Network by impersonating the Mainnet Timelock.

Update: Resolved in commit 0108f65. The ccipReceive function of the RoninBridgeReceiver contract has been updated to validate received messages originated from Ethereum Mainnet.

Conclusion

The issue disclosed within this report surfaces an attack vector that could potentially put protocol funds on the Ronin network at risk by allowing a contract deployed on another network to impersonate the Compound Timelock on the Ronin network. It is recommended that the current proposal be cancelled and the RoninBridgeReceiver be updated as recommended in order to close this attack vector.

dmitriywoofsoftware · March 10, 2025, 6:49pm

jbass-oz · March 14, 2025, 7:27pm

OpenZeppelin reviewed Woof!'s changes to address the issue. The issue is resolved and the report is updated.

Topic		Replies	Views
Ronin WETH Market Migration Review audit	2	46	March 5, 2025
Deploy Compound III on Ronin Proposals	10	705	March 10, 2025
Mainnet wstETH Market Migration Review audit	1	68	September 9, 2024
OpenZeppelin Security Updates for Q1 2023 & Q2 Compensation Proposal Governance Process audit	4	1441	March 31, 2023
Proposal 416 Review audit	3	101	March 9, 2025