Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Mina Token Bridge>Medium findings>Validators cannot be removed
GeneralOverview
Findings
Critical (4)
High (2)
Medium (1)Validators cannot be removed
Informational (4)
DiscussionUpgradability of Mina contractsSimplifications in validateValidatorMisleading function name
Threat ModelWhat are threat models?Bridge.sol
Audit ResultsAssessment Results
Category: Coding Mistakes

Validators cannot be removed

Medium Severity
Medium Impact
Low Likelihood

Description

A minter can pass multiple signatures as arguments to the unlock function, signed by various validators, to claim Ether or tokens. Each signature must be signed by a validator that the owner has added to the whitelist. Validators can be added using the addListValidator function; however, there is no function implemented to remove validators from the whitelist.

function _addListValidator(address[] memory _validators) internal {
    require(_validators.length > 0, "Invalid length");
    for (uint256 i = 0; i < _validators.length; i++) {
        validators[_validators[i]] = true;
    }
}

Impact

The inability to remove validators from the whitelist poses a protocol risk if a validator becomes untrustworthy or malicious. For example, if a validator's private key is compromised, the protocol owner may find it difficult to take appropriate security measures, further limiting operational flexibility.

Recommendations

Add a function that allows an owner to remove the registered validator.

Remediation

This issue has been acknowledged by Sotatek, and a fix was implemented in commit 17162c1a.

Zellic © 2025Back to top ↑