Summary

The StrategyArb, StrategyOp, and StrategyMainnet contracts lack an upgradability pattern, meaning their logic cannot be modified post-deployment. This limitation poses risks related to bug fixes, security vulnerabilities, and evolving requirements.

Vulnerability Details

The absence of an upgrade mechanism means that if a critical vulnerability is discovered after deployment, it cannot be patched without redeploying a new contract. This not only increases the risk for users but also complicates fund management during migrations.

Impact

• Inability to Fix Bugs: If a vulnerability is discovered, funds may remain at risk until a new version is deployed.

• User Frustration: Users may face challenges in accessing their funds or may need to migrate manually to a new contract.

• Potential for Exploits: A static contract is more susceptible to exploitation if a bug exists that could be leveraged by malicious actors.

Tools Used

• Manual code review of StrategyArb, StrategyOp, and StrategyMainnet contracts.

Recommendations

1. Implement an Upgradability Pattern: Utilize a proxy pattern to enable contract upgrades without losing state or requiring user migration.

2. ensure that access control measures are in place for any upgradeable functions to prevent unauthorized modification