CCIP router address cannot be updated
Summary
CCIP Router addresses cannot be updated in SDLPoolCCIPController.sol, SDLPoolCCIPControllerPrimary.sol, SDLPoolCCIPControllerSecondary.sol, WrappedTokenBridge.sol .
Vulnerability Details
On contracts that inherit from CCIPReceiver, router addresses need to be updateable. Chainlink may update the router addresses as they did before. This issue introduces a single point of failure that is outside of the protocol's control.
An example contract that uses CCIP. Taken from Chainlink docs.
Chainlink documents noticing users about router address updating on testnet.
CCIP v1.0.0 has been deprecated on testnet. You must use the new router addresses mentioned in the CCIP v1.2.0 configuration page before January 31st, 2024
On Testnets, router contracts in v1.0.0 and v1.2.0 are different. It means that router contract addresses can change from version to version. So CCIPReceivers should accommodate this. Mainnet is on v1.0.0 which means its router addresses can change with an update.
Impact
Impact: High
Likelihood: Low
Router address deprecation will cause the protocol to stop working.
Tools Used
Manual review.
Recommendations
Implement a function to update the _router address. Example shown below:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.