Collections deployed by bridge L2 bridge contract are not upgradable or managable
Summary
As the collection_owner of deployed bridgable collections is being set to L2 bridge contract, the collections will never be able to get updated or managed
Vulnerability Details
When users bridge tokens of a collection to L2, if there no corresponding L2 collection already set, then L2 bridge contract deploys a erc721_bridgable contract.
When the bridgeable collection is deployed, the collection_owner is set as the bridge contract. Only collection_owner will be able to upgrade the bridge or call manager functions such as set_base_uri, set_token_uri etc.
But as the collection_owner in this case would be the bridge contract it will never be able to upgrade or manage the collection because it doesn't have the neccesary functions. This leaves collection deployed by L2 bridge not upgradable or managable once deployed
Impact
Bridgable collections deployed by L2 bridge will never be able to be upgraded or managed
Tools Used
Manual review
Recommendations
There should be a way to set an actual collection owner when auto deploying too.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.