Summary

Contracts have owners with privileged rights to perform admin tasks and need to be trusted to not perform malicious updates or drain funds.

Vulnerability Details

• Found in contracts/Distribution.sol Line: 174

  L1Sender(l1Sender).sendMintMessage{value: msg.value}(user_, pendingRewards_, _msgSender());

• Found in contracts/Distribution.sol Line: 197

  Pool storage pool = pools[poolId_];

• Found in contracts/Distribution.sol Line: 281

  emit UserWithdrawn(poolId_, user_, amount_);

• Found in contracts/L1Sender.sol Line: 114

  IGatewayRouter(config.gateway).outboundTransfer{value: msg.value}(

• Found in contracts/L1Sender.sol Line: 124

  function sendMintMessage(address user_, uint256 amount_, address refundTo_) external payable onlyDistribution {

• Found in contracts/L1Sender.sol Line: 128

  bytes memory payload_ = abi.encode(user_, amount_);

• Found in contracts/L2MessageReceiver.sol Line: 66

  emit RetryMessageSuccess(senderChainId_, senderAndReceiverAddresses_, nonce_, payload_);

• Found in contracts/L2TokenReceiver.sol Line: 96

  amountAdd0_ = rewardTokenAmountAdd_;

• Found in contracts/L2TokenReceiver.sol Line: 126

  TransferHelper.safeApprove(newParams_.tokenOut, nonfungiblePositionManager, type(uint256).max);

• Found in contracts/mock/tokens/StETHMock.sol Line: 7

  contract StETHMock is ERC20, Ownable {

• Found in contracts/mock/tokens/StETHMock.sol Line: 29

  function setTotalPooledEther(uint256 _totalPooledEther) external onlyOwner {

Impact

The identified centralization risk may expose the system to potential abuse or unauthorized changes by trusted owners. Malicious actions could lead to fund draining or unintended modifications in critical contract parameters.

Tools Used

Manual Review

Recommendations

Privileged Operations Oversight: Conduct a thorough review of functions involving privileged operations, such as minting tokens or editing pool parameters. Implement safeguards to mitigate centralization risks and ensure the trustworthiness of privileged owners.

Multi-Signature Wallets: Consider implementing multi-signature wallets or governance contracts to distribute control among multiple trusted parties. This can enhance security and reduce the impact of potential malicious actions by a single entity.