Centralization risk
Description
At the end of deployment and configuration of the AddressLockProxy, OutputReceiverProxy, ResonateHelper, and Resonate, ownership is primarily concentrated in a single account. However, a specially designated sandwich bot is able to access the proxyCall(...)
and sandwichSnapshot
functions in the ResonateHelper. These functions cannot move funds outside of the system but can move the location of funds within the system for the purpose of snapshot voting. When new pools are added to resonate they are created along with their own ResonateSmartWallet and PoolSmartWallet contracts. These wallets can only be accessed by Resonate. There are no owners of the ERC4626
adapters used to interface between Resonate and the vaults.
In general, the owner of Resonate cannot stop the protocol or withdraw funds other than through regular use of the protocol. However, they are in control of the address of the oracle. By manipulating the price of the oracle they could grossly inflate the number of packets a producer order is entitled to and profit from matches with consumer orders (more in the discussion on oracle risk).
The protocol relies heavily on the proper functioning of several external vaults. Under the current scope of this audit these include Aave and Yearn. Compromise of these vaults could break the system and result in loss of funds. This is viewed as an acceptable and necessary risk.
Resonate also relies on several key contracts in the Revest ecosystem. These include a registry that returns the address of Revest and the FNFT Handler. Compromise of this registry could direct Resonate to interact with compromised contracts. Furthermore, compromise of Revest or the FNFT handler could break the protocol or result in loss of funds. For example, Revest is responsible for calling critical functions in Resonate for claiming interest and principal. The burning of FNFTs is handled by Revest, and the FNFT handler and its compromise could potentially result in repeated claiming of interest and/or principal.
Impact
Control of Resonate is heavily concentrated in a single account; however, compromise of this account presents limited vectors for exploitation. A compromised owner account could alter the price oracle to one in their control and use this to exploit the system for financial gain.
The compromise of the sandwich bot could result in abuse of proxyCall
and sandwichSnapshot
, which could disrupt the proper functioning of the protocol.
Recommendations
The use of a multisignature address wallet can prevent an attacker from causing economic damage in the event a private key is compromised. Timelocks can also be used to catch malicious executions. It should be verified that this practice is being followed for not just the core Resonate contracts (including the sandwich bot) but also the other contracts it interacts with listed above.
The oracle should be carefully set to a trusted source such as ChainLink or an alternative that uses a sufficiently long TWAP. Care needs to be taken in ensuring the price oracle cannot be manipulated through flash loans or other means of attack.
Remediation
Revest has provided a highly detailed response which adequately addresses our concerns around the access management of critical contracts. Their procedures for managing centralization risk include the following:
Resonate will use, at a minimum, a 3 of 5 multisig. No more than a simple majority will be core team members, the remainder will be drawn from the community. The members of the Resonate multisig will have no more than two members overlapping with the Revest multisig.
Sandwich bot access will initially align with Resonate access.
Revest currently uses a 3 of 7 mutlisig. This will be upgraded to a 4 of 7 soon.
The registry is currently controlled by a multisig.
A multisig will be used to control the oracle systems.
The FNFT handler is immutable.
An individual will posesses no more than one key on a given multisig. In general the use of hardware wallets is either mandated (Resonate) or encouoraged (Revest, non-officers).
As progressive decentralization occurs, control over many of the contracts in the Revest-Resonate ecosystem will be migrated to intermediary contracts/DAOs.