FoundrySolidityLayer 2
7.25 ETH
Submission Details
Impact: medium
Likelihood: medium

Default Outcome Moderator Validation Depends on Protocol Design

Author Revealed upon completion

Root + Impact

Description

  • If the protocol expects the moderator to implement callback logic through a contract, assigning an EOA may break moderation functionality.

  • If the protocol intentionally allows EOAs or multisigs as moderators, then no issue exists.

// Root cause in the codebase with @> marks to highlight the relevant section

Risk

Likelihood:

  • Reason 1 // Describe WHEN this will occur (avoid using "if" statements)

  • Reason 2

Impact:

  • Most protocols intentionally use EOAs or multisigs for administrative roles.

Proof of Concept

The function only validates the zero address.
Whether additional validation is required depends entirely on the protocol specification.

function test_PoC_DefaultOutcomeModerator_AcceptsEOA_NoCodeCheck() public {
address eoa = makeAddr("eoaAsModerator");
assertEq(eoa.code.length, 0);
vm.prank(owner);
factory.setDefaultOutcomeModerator(eoa); // succeeds — EOA moderator accepted
assertEq(factory.defaultOutcomeModerator(), eoa);
}

Recommended Mitigation

If the protocol specification requires a contract moderator, validate the address:
Otherwise, document that EOAs and multisigs are supported.

- remove this code
function setDefaultOutcomeModerator(address newDefaultOutcomeModerator) external onlyOwner {
if (newDefaultOutcomeModerator == address(0)) revert ZeroAddress();
address old = defaultOutcomeModerator;
defaultOutcomeModerator = newDefaultOutcomeModerator;
emit DefaultOutcomeModeratorUpdated(old, newDefaultOutcomeModerator);
}
+ add this code
function setStakeTokenAllowed(address token, bool allowed)
external
onlyOwner
{
if (token == address(0))
revert ZeroAddress();
if (token.code.length == 0)
revert NotAContract();
allowedStakeToken[token] = allowed;
emit StakeTokenAllowedUpdated(token, allowed);
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!