Core Contracts

Executive Summary:

This report highlights a critical security vulnerability in the contract's role-based access control related to the emergency shutdown functionality. The emergencyShutdown function is incorrectly protected by DEFAULT_ADMIN_ROLE instead of the intended EMERGENCY_SHUTDOWN_ROLE. Furthermore, the EMERGENCY_SHUTDOWN_ROLE is not initially granted to any account during contract deployment. This combination of issues severely compromises the intended security model, potentially leading to unauthorized control over the emergency shutdown mechanism.

Detailed Description:

The contract utilizes the Ownable pattern to manage privileged operations through role-based access control. The intent is to restrict the execution of the emergencyShutdown function to a designated account(s) holding the EMERGENCY_SHUTDOWN_ROLE. However, the current implementation exhibits two key flaws:

1. Incorrect Role Assignment in emergencyShutdown Function: The emergencyShutdown function is incorrectly guarded by onlyRole(DEFAULT_ADMIN_ROLE). This means that instead of restricting access to users with the EMERGENCY_SHUTDOWN_ROLE, anyone possessing the DEFAULT_ADMIN_ROLE can execute this critical function.

2. Missing Role Grant for EMERGENCY_SHUTDOWN_ROLE during Construction: The EMERGENCY_SHUTDOWN_ROLE is not granted to any account during the contract's constructor. The existing code lacks the necessary _grantRole call to assign this role to an initial owner or designated account(s). This leaves the EMERGENCY_SHUTDOWN_ROLE effectively unusable.

Impact:

The vulnerability has the following potential consequences:

• Unauthorized Emergency Shutdowns: If the DEFAULT_ADMIN_ROLE is compromised or inadvertently assigned to an untrusted actor, they would be able to trigger the emergencyShutdown function, potentially halting critical operations and causing significant disruption to the contract's functionality and associated users.

• Denial of Service: An attacker controlling the DEFAULT_ADMIN_ROLE could maliciously trigger emergencyShutdown, rendering the contract unusable.

• Loss of Control: The intended emergency shutdown mechanism becomes ineffective, as no account is initially authorized to use it. This prevents the contract owner or designated emergency contact from quickly reacting to critical system failures or exploits.

Severity: Critical

This vulnerability is classified as critical due to the potential for significant financial loss, operational disruption, and reputational damage. The incorrect role assignment for a core security function, combined with the lack of initial role assignment, makes the emergency shutdown mechanism fundamentally flawed.

Recommended Remediation:

1. Correct Role Assignment in emergencyShutdown: Modify the emergencyShutdown function's access control modifier to use the correct role:

   function emergencyShutdown(bool updateLastBlock, uint256 newLastUpdateBlock) external onlyRole(EMERGENCY_SHUTDOWN_ROLE) {

   // ... existing code ...

   }

   ​

   ​

2. Grant EMERGENCY_SHUTDOWN_ROLE during Construction: Add a _grantRole call in the constructor to grant the EMERGENCY_SHUTDOWN_ROLE to the appropriate initial owner or address:

   constructor(...) {

   // ... existing code ...

   _grantRole(EMERGENCY_SHUTDOWN_ROLE, initialEmergencyShutdownAddress); // Grant the role

   }

   ​

   ​

   Replace initialEmergencyShutdownAddress with the address you want to initially control the emergency shutdown. Consider using a multi-signature wallet address for increased security.

Code Example (Fixed):

Testing Recommendations:

After implementing the recommended remediation, thoroughly test the following:

• Verify that only accounts with the EMERGENCY_SHUTDOWN_ROLE can successfully execute the emergencyShutdown function.

• Confirm that attempts to execute emergencyShutdown from accounts lacking the EMERGENCY_SHUTDOWN_ROLE are correctly rejected.

• Ensure that accounts with the DEFAULT_ADMIN_ROLE cannot execute emergencyShutdown.

• Test the granting and revocation of the EMERGENCY_SHUTDOWN_ROLE to different addresses.

• Consider a fuzzing or property-based testing approach to more exhaustively test the role-based access control mechanism.

Conclusion:

Addressing this vulnerability is paramount to ensuring the security and integrity of the contract. The provided fix and testing recommendations should be implemented immediately to mitigate the risk of unauthorized emergency shutdowns and maintain proper control over critical contract functionalities. This report emphasizes the importance of rigorous code review and thorough testing practices, particularly when dealing with sensitive functions governed by role-based access control.