Zellic - Audit Reports

Assessment reports Public findings

Back to Zellic site

Assessment reports>Polygon Staking>Informational findings>Centralization risk of upgradability.

GeneralOverview

Findings

Informational (7)Centralization risk of upgradability.Rewards remain unclaimed when principalDeposits is zero No length check is present on the amounts parameter The totalStaked function name could be confusing Gas optimization in the removeSplitter function Renumbered vault/validator IDs The addFee functions can repeat receivers

DiscussionThe logic in _updateStrategyRewards may not need to update all the strategies The LSTRewardsSplitter's splitting is not path-independent, which may have cross-protocol implications Calling checkUpkeep on chain is against the automation documentation and may revert or waste gas

Threat ModelWhat are threat models?LSTRewardsSplitter.sol LSTRewardsSplitterController.sol PolygonFundFlowController.sol PolygonStrategy.sol PolygonVault.sol

Audit ResultsAssessment Results

Category: Protocol Risks

Centralization risk of upgradability.

Informational Severity

Informational Impact

N/A Likelihood

Description

Note that PolygonVault and PolygonFundFlowController are upgradable.

Impact

While upgradability is a useful, common feature, it also introduces centralization risks. A malicious owner could change the implementation of the contracts to steal funds, disable the contract, or otherwise change the behavior of the contract in a way that is not in the interest of the users.

Recommendations

We recommend the owner of the contracts should be a governance contract or multi-sig. Otherwise, users must be aware of and accept the centralization risk.

Remediation

In addition Stake.link has provided the following response:

We will ensure that the owner will be a multi-sig.

Zellic © 2025Back to top ↑