Summary
Timeline: From 2025-02-24 To 2025-02-26
Total Issues: 7 (6 resolved)
Medium Severity Issues: 3 (3 resolved)
Low Severity Issues: 2 (2 resolved)
Notes & Additional Information: 2 (1 resolved)
Scope
OpenZeppelin reviewed pull request #962 at commit a63bd77. This pull request will submit a governance proposal to create a WETH Comet market on the Ronin network using the official Comet Migration process. Discussion on the proposal can be found in the Compound Forum.
In scope were the following files:
.github/workflows/enact-migration.yaml
contracts/bridges/ronin/RoninBridgeReceiver.sol
deployments/ronin/weth/migrations/1689892563_configurate_and_ens.ts
deployments/ronin/weth/configuration.json
deployments/ronin/weth/deploy.ts
System Overview
Ronin is an EVM-compatible Layer 1 blockchain designed for gaming, developed by Sky Mavis. It supports millions of daily active users and has processed significant transaction volumes, including notable NFT activity. Operating on a Delegated Proof of Stake (DPoS) consensus mechanism, Ronin is optimized for near-instant transactions and minimal fees, providing a scalable environment for various decentralized applications without making definitive claims regarding its overall performance.
In line with its expansion strategy, the Ronin Ecosystem team is planning to deploy Compound III on the network, starting with a new Comet Market for WETH. This integration will incorporate Compound’s established DeFi infrastructure into Ronin, marking the protocol’s first foray into an alt-L1 blockchain. By utilizing its DPoS mechanism and cross-chain communication via Chainlink CCIP, this deployment is intended to enhance liquidity and capital efficiency, potentially benefiting both the gaming community and the broader range of DeFi users.
The focus of OpenZeppelin’s review was pull request #962, which includes the deployed dependencies, the official migration governance proposal, and all the security concerns that may arise during the execution of the proposal. Specifically, we checked that:
- The correct contracts were deployed on-chain.
- The simulation workflow created the same proposal as the deployment workflow.
- The proposal description was accurate and descriptive of its effects.
- The proposal dependencies were verified as deployed with the correct configurations.
- The proposal instructions were decoded and verified as complete.
- The correct oracle price feeds were used.
- The proposal instructions were simulated and executed successfully without errors.
Trust Assumptions
During the course of this review, the following trust assumptions were made.
EVM Equivalence
Currently, the Ronin network implements the London EVM. This means that it does not support Push0, which may raise issues for contracts using a Solidity version greater than 0.8.20. Where the Solidity version is greater than 0.8.20, it is crucial that contracts are compiled with the London EVM as the target version in order to avoid the use of Push0.
COMP Rewards
While Gauntlet has provided recommendations for COMP rewards, the COMP token is not currently whitelisted on the CCIP bridge that connects Ethereum and Ronin. We assume that once the COMP token is whitelisted, a new governance proposal will be introduced to bridge COMP tokens and establish rewards for the WETH market.
Ronin’s Governance
The Ronin chain operates under the governance of 12 Governing Validators who manage protocol upgrades such as updating smart contracts and adding or removing Governing Validators. Within the Ronin ecosystem, any upgrades must undergo an on-chain proposal, necessitating the approval of at least 70% of the governing validators.
Consensus Mechanism
Ronin transitioned from a Proof of Authority (PoA) consensus mechanism to Delegated Proof of Stake (DPoS) in April 2023, following the Ronin Security Breach in March 2022. Under the current DPoS system, token holders delegate their stake to a relatively small set of validators — comprising 12 trusted Governing Validators and a group of Rotating Validators. All validators vote for finality, but only 22 validators are selected to produce blocks in a given epoch. These 22 validators include 12 Governing Validators elected by the community and 10 Rotating Validators selected randomly. The probability of being chosen as a Rotating Validator is proportional to the amount of stake held by each validator.
While the limited validator set may suggest potential centralization risks, measures such as the use of Rotating Validators have been implemented to help mitigate these risks. It is expected that with the protocol’s growth, the number of validators may increase, which could further address centralization concerns.
Bridge Security Enhancements
In 2024, Ronin suffered from a critical breach in its previous bridge implementation. In response, the network migrated its bridge infrastructure to utilize Chainlink CCIP, with this migration being completed in late 2024. This update integrates an established cross-chain communication protocol into the Ronin ecosystem, providing a standardized framework for secure interoperability between networks.
Medium Severity
Mismatched Seed Reserves for WETH Comet
Gauntlet’s recommended seed reserves for the WETH comet on the Ronin network are 25 WETH. However, in the migration script, only 10 ETH are being bridged to the WETH comet.
Consider updating the ETH amount being bridged to match Gauntlet’s recommendation.
Update: Resolved in pull request #962 at commit 31016a7.
RoninBridgeReceiver Missing supportsInterface Implementation
The RoninBridgeReceiver contract lacks an implementation of the supportsInterface function from ERC-165. Without this function, the contract will not be recognized as a valid CCIP receiver, as noted in the code comments of the reference CCIPReceiver contract and the CCIP docs. As a result, the ccipReceive function in the bridge receiver will not be called, and only tokens will be transferred.
To ensure that cross-chain messages are correctly processed via the ccipReceive function, consider implementing the supportsInterface function in RoninBridgeReceiver, ensuring that it returns true for both the IAny2EVMMessageReceiver and IERC165 interface IDs. Alternatively, consider extending the base CCIPReceiver contract which already provides this functionality.
Update: Resolved in pull request #962 at commit 31016a7.
Excessive CCIP Service Fees Will Be Lost
The migration script uses Chainlink’s CCIP Router to send a message from Ethereum to Ronin via the ccipSend function, which requires an upfront payment in ETH for the cross-chain messaging service. However, 0.5 ETH is being sent as the service fee, which is excessive and nonrefundable.
To avoid losing excess funds, consider using the getFee function to estimate the correct amount needed for paying the cross-chain messaging fees.
Update: Resolved in pull request #962 at commit 31016a7.
Low Severity
Unverified Contract Addresses
The pauseGuardian and bridgeReceiver addresses used in the migration are not verified on Ronin’s block explorer. As a result, public verification and scrutiny of these contracts are hindered, reducing the overall transparency of the migration process.
Consider verifying these contracts on Ronin’s block explorer prior to submitting the proposal on-chain, ensuring that external parties can audit the code and confirm its integrity.
Update: Resolved in pull request #962 at commit 31016a7. The bridgeReceiver address was deployed and verified
Scenario Check Failure
The ronin-weth scenario check present in pull request is currently failing.
Consider ensuring the ronin-weth scenario check passes successfully before submitting the on-chain proposal to deploy the WETH market on the Ronin network.
Update: Resolved in pull request #123. Scenario results: ronin-weth.
Notes & Additional Information
Misleading Documentation
Multiple instances of misleading documentation were identified in the deploy.ts script:
- In line 121, the comment should say “AXS / USD” instead of “RON / USD”.
- In line 132, the comment should say “USDC / USD” instead of “RON / USD”.
- In line 150, the mention of MNT is incorrect, and the wrapped native token WRON will be used as a collateral asset.
Consider correcting any instances of misleading comments to enhance the clarity, accuracy, and readability of the codebase.
Update: Resolved in pull request #962 at commit 31016a7.
Todo Comments in the Code
During development, having well-described TODO/Fixme comments will make the process of tracking and solving them easier. Without this information, important information for the security of the system might be forgotten by the time it is released to production. Thus, such comments should be tracked in the project’s issue backlog and resolved before the system is deployed.
Within the migration script, an instance of a TODO comment was identified.
Consider removing all instances of TODO/Fixme comments and instead tracking them in the issues backlog. Alternatively, consider linking each inline TODO/Fixme to the corresponding issues backlog entry.
Update: Acknowledged, not resolved.
Conclusion
OpenZeppelin conducted a review of the Compound WETH Comet Market that is set to launch on Ronin network. The review uncovered three medium-severity issues along with some other issues of lower-severity.