fix: SECURITY_REVIEW.md references obsolete recenterAccess pattern (#838)
- Update M-3 finding: recenterAccess was removed; MIN_RECENTER_INTERVAL (60s) cooldown now enforced unconditionally — downgrade severity to Informational (resolved) - Update Access Control Summary: remove recenterAccess rows, reflect permissionless recenter() with cooldown - Update Conclusion: mark M-3 as resolved - Fix stale M-1 impact note that mentioned recenterAccess as a workaround - deployment.md: remove Section 3.2 "Set Recenter Access" (setRecenterAccess no longer exists); update 3.3 first-recenter comment - deployment.md: replace recenterAccess() verification call with lastRecenterTime() check - deployment.md §6.1: rewrite Pause Recentering note — no access-control switch exists, cooldown is the only rate limiter - deployment.md §6.5: remove stale setRecenterAccess(0xdEaD) instruction Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
openhands
parent
ed15d23746
commit
9b75817300
2 changed files with 25 additions and 51 deletions
|
|
@ -100,22 +100,13 @@ cast send $LIQUIDITY_MANAGER --value 10ether \
|
|||
--mnemonic "$(cat .secret)"
|
||||
```
|
||||
|
||||
### 3.2 Set Recenter Access
|
||||
### 3.2 Trigger First Recenter
|
||||
|
||||
Restrict `recenter()` to the txnBot address:
|
||||
|
||||
```bash
|
||||
# Must be called by feeDestination (multisig)
|
||||
cast send $LIQUIDITY_MANAGER "setRecenterAccess(address)" $TXNBOT_ADDRESS \
|
||||
--rpc-url $BASE_RPC \
|
||||
--mnemonic "$(cat .secret)" # or via multisig
|
||||
```
|
||||
|
||||
### 3.3 Trigger First Recenter
|
||||
`recenter()` is permissionless — any address may call it. The 60-second cooldown (`MIN_RECENTER_INTERVAL`) and TWAP oracle check are always enforced.
|
||||
|
||||
```bash
|
||||
# Wait for pool to accumulate some TWAP history (~5 minutes of trades)
|
||||
# Then trigger first recenter (must be called by recenterAccess)
|
||||
# Anyone can trigger the first recenter; txnBot will take over ongoing calls
|
||||
cast send $LIQUIDITY_MANAGER "recenter()" \
|
||||
--rpc-url $BASE_RPC \
|
||||
--from $TXNBOT_ADDRESS
|
||||
|
|
@ -187,7 +178,7 @@ cast call $KRAIKEN "peripheryContracts()" --rpc-url $BASE_RPC # LM + Stake addr
|
|||
|
||||
# 2. LiquidityManager
|
||||
cast call $LM "feeDestination()" --rpc-url $BASE_RPC # Should be multisig
|
||||
cast call $LM "recenterAccess()" --rpc-url $BASE_RPC # Should be txnBot
|
||||
cast call $LM "lastRecenterTime()" --rpc-url $BASE_RPC # Should be non-zero after first recenter
|
||||
cast call $LM "positions(0)" --rpc-url $BASE_RPC # Floor position (after recenter)
|
||||
cast call $LM "positions(1)" --rpc-url $BASE_RPC # Anchor position
|
||||
cast call $LM "positions(2)" --rpc-url $BASE_RPC # Discovery position
|
||||
|
|
@ -212,17 +203,9 @@ cast balance $LM --rpc-url $BASE_RPC # Should show funded
|
|||
|
||||
### 6.1 Pause Recentering
|
||||
|
||||
**WARNING:** `revokeRecenterAccess()` does NOT pause recentering. It makes `recenter()` permissionless (anyone can call it with 60-second cooldown + TWAP check). In an attack scenario, this would make things worse.
|
||||
**NOTE:** `recenter()` is permissionless — there is no access-control switch to block it. The only mechanism that prevents a recenter is the 60-second `MIN_RECENTER_INTERVAL` cooldown and the TWAP oracle check. There is no admin function to revoke or grant access.
|
||||
|
||||
To truly lock out recenters, set `recenterAccess` to a burn address that no one controls:
|
||||
|
||||
```bash
|
||||
# Called by feeDestination (multisig) — sets access to a dead address
|
||||
cast send $LM "setRecenterAccess(address)" 0x000000000000000000000000000000000000dEaD \
|
||||
--rpc-url $BASE_RPC
|
||||
```
|
||||
|
||||
This leaves existing positions in place but prevents any new recenters. LP positions continue earning fees. To resume, call `setRecenterAccess()` with the txnBot address again.
|
||||
In an attack scenario the most effective response is to upgrade or replace the contract (see §6.3 / §6.4). Existing positions remain in place and continue earning fees regardless of recenter activity.
|
||||
|
||||
### 6.2 Upgrade Optimizer to Safe Defaults
|
||||
|
||||
|
|
@ -252,7 +235,7 @@ If the optimizer needs temporary override, deploy a new implementation with hard
|
|||
### 6.5 Known Attack Response: Floor Ratchet
|
||||
|
||||
If floor ratchet extraction is detected (rapid recenters + floor tick creeping toward current price):
|
||||
1. **Immediately** set recenter access to burn address (`0xdEaD`) — do NOT use `revokeRecenterAccess()` as it makes recenter permissionless
|
||||
1. **Immediately** assess severity — `recenter()` is permissionless (no access-control switch exists); the 60s cooldown is the only rate limiter
|
||||
2. Assess floor position state via `positions(0)`
|
||||
3. Deploy patched LiquidityManager if fix is ready
|
||||
4. Current mitigation: bear-mode parameters (AW=100) create 7000-tick floor distance, making ratchet extraction significantly harder
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue