Description

The setBlockUpdater function in ZkBridgeOracleV2 allows the contract owner to modify the block updater for any source chain. The block updater is responsible for validating receipt hashes against a given block hash.

function setBlockUpdater(uint16 _sourceChainId, address _blockUpdater) external onlyOwner {
    require(_blockUpdater != address(0), "ZkBridgeOracle:Zero address");
    emit ModBlockUpdater(_sourceChainId, address(blockUpdaters[_sourceChainId]), _blockUpdater);
    blockUpdaters[_sourceChainId] = IBlockUpdater(_blockUpdater);
}

Impact

The owner can potentially change the block updater to an arbitrary contract and thereby bypass the security guarantees of the contract.

Recommendations

We recommend integrating a governance for the owner or a timelock mechanism to remediate arbitrary updates to blockUpdaters.

Remediation

Polyhedra Network provided the following response to this finding:

Regarding your concerns with the ZkBridgeOracle contract and specifically, the setBlockUpdater function, please be aware that the contract currently possesses the ability to change the blockUpdater due to the hi-tech and intricate nature of the Zero-Knowledge Proofs. This upgradability allows us to swiftly deal with and settle any unforeseen issues, thereby enhancing the security and overall continuity of our services.

However, this arrangement is not permanent. Our ultimate plan is to transition towards a non-adjustable contract when the operations of the ZkBridgeOracle proves to be steady and reliable. At that point, we expect an enhancement in the solidity and safety of the contract. We foresee this transition to be implemented within a month, and we greatly appreciate your understanding on this matter.