Tadle

Github

• https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L40

Summary

The TadleFactory contract acts as the factory for deploying related contracts within the Tadle system. It assigns the guardian role to an address that has exclusive privileges to deploy new contracts. However, the contract currently lacks a mechanism to change the guardian address, which could pose risks in the event that the guardian address needs to be updated due to security or operational reasons.

Vulnerability Details

The TadleFactory contract defines a guardian address upon deployment, which has exclusive rights to deploy related contracts using the deployUpgradeableProxy function. The contract includes a modifier onlyGuardian to restrict access to certain functions to this address.

The guardian address is set during the contract's initialization in the constructor and cannot be changed afterward. This design means that if the guardian's private key is compromised, or if the guardian's address needs to be updated for any reason (e.g., organizational changes, security upgrades), the contract would not allow for such a change.

The centralization of control in a single, unchangeable address creates a single point of failure. If the guardian address is compromised, the attacker could potentially deploy malicious contracts or prevent the deployment of necessary contracts within the Tadle system.

In dynamic environments, the inability to update critical roles like the guardian can be operationally limiting. Organizations often need to rotate keys or update privileged addresses, and the lack of this capability could hinder effective contract management.

Impact

If the guardian address is compromised, the entire system's security could be at risk, as the attacker could deploy unauthorized contracts. The inability to update the guardian address limits the contract's adaptability to changes in governance or operational requirements. This design centralizes control in a single address without a mechanism for rotation or update, increasing the system's vulnerability to targeted attacks.

Tools Used

Manual Review

Recommendations

Introduce a function that allows the current guardian to change the guardian address to a new one. This function should include proper access control, ensuring that only the current guardian can invoke it and should be a 2-step process.