stake.link

Summary

This report identifies a potential issue in the use of OpenZeppelin's library contracts in the Stake-Link project. The project uses the non-upgradeable standard version of the library contracts, such as Ownable, Pausable, Address, Context, SafeERC20, ERC1967Upgrade etc, which are not compatible with the upgrades plugin. This could lead to errors or unexpected behavior when deploying or upgrading the contracts. The report recommends using the upgradeable version of the library contracts from @openzeppelin/contracts-upgradeable instead of @openzeppelin/contracts.

Vulnerability Details

The issue affects the following contracts in the Stake-Link project:

https://github.com/Cyfrin/2023-12-stake-link/tree/main/contracts/core/RewardsInitiator.sol#L5

https://github.com/Cyfrin/2023-12-stake-link/tree/main/contracts/core/ccip/RESDLTokenBridge.sol#L6-L7

https://github.com/Cyfrin/2023-12-stake-link/tree/main/contracts/core/ccip/WrappedTokenBridge.sol#L7-L8

https://github.com/Cyfrin/2023-12-stake-link/tree/main/contracts/core/ccip/base/SDLPoolCCIPController.sol#L7-L8

https://github.com/Cyfrin/2023-12-stake-link/tree/main/contracts/core/sdlPool/LinearBoostController.sol#L4

• RewardsInitiator: This contract is responsible for initiating the rewards distribution for the Stake-Link token holders. The contract inherits from the Ownable contract from @openzeppelin/contracts, which has a constructor that is not compatible with the upgrades plugin.

• RESDLTokenBridge: This contract is responsible for bridging the Stake-Link token between the Ethereum and Binance Smart Chain networks. The contract inherits from the Ownable and SafeERC20 contracts from @openzeppelin/contracts, which have constructors or initial values that are not compatible with the upgrades plugin.

• WrappedTokenBridge: This contract is responsible for wrapping and unwrapping the Stake-Link token on the Binance Smart Chain network. The contract inherits from the Ownable and SafeERC20 contracts from @openzeppelin/contracts, which have constructors or initial values that are not compatible with the upgrades plugin.

• SDLPoolCCIPController: This contract is an abstract contract that implements the CCIPReceiver interface for the Stake-Link pool contracts. The contract inherits from the Ownable and SafeERC20 contracts from @openzeppelin/contracts, which have constructors or initial values that are not compatible with the upgrades plugin.

• LinearBoostController: This contract is responsible for controlling the linear boost mechanism for the Stake-Link pool contracts. The contract inherits from the Ownable contract from @openzeppelin/contracts, which has a constructor that is not compatible with the upgrades plugin.

Impact

The impact of this issue is that the contracts cannot be deployed or upgraded using the upgrades plugin, which provides automated security checks and simplifies the upgradeability process. This could limit the functionality and the security of the contracts, and make them harder to maintain and update.

Tools Used

Manul

Recommendations

The report recommends using the contracts from @openzeppelin/contracts-upgradeable instead of @openzeppelin/contracts where applicable. The upgradeable version of the library contracts are designed to be compatible with the upgrades plugin, and have the same functionality and security as the standard version.