Compound Polygon Bridge Receiver Audit

Off-Chain (Private)
Audited on 2023/02/17
No active critical issues
Access report

Summary

) Notes & Additional Information 5 (0 resolved, 2 partially resolved) Scope We audited the compound-finance/comet repository at the 2eb33b5e8454dba148373b6cb64ede4f7436fad7 commit. In scope were the following contracts: - contracts/bridges/BaseBridgeReceiver.sol... System Overview Compound plans to deploy its v3 of the protocol into Polygon. This audit focused on the deployment of the communication infrastructure between the existing Compound Governor contract on Ethereum Mainnet and the Polygon Network. In order for the Compound Governor contract from...

Issues (9)

Low
Medium
High
Critical
Total
Not fixed
----0
Fixed
72--9
Total72009
BaseBridgeReceiver can be rendered inoperable by incorrectly setting the localTimelock
fixed/medium
None
Proposals cannot be canceled
fixed/medium
None
Identical transactions can be executed inside the same proposal
fixed/low
None
Inconsistent transaction expiry
fixed/low
None
Inconsistent usage of uint across loops
fixed/low
None
Lack of indexed parameter
fixed/low
None
Missing distinction between queued and ready-to-execute state
fixed/low
None
Reversions in Polygon will not be seen in Ethereum
fixed/low
None
Unused return value from executeTransaction
fixed/low
None

Contracts (5)

#File Name
1

contracts/vendor/Timelock.sol

2

contracts/ITimelock.sol

3

contracts/bridges/BaseBridgeReceiver.sol

4

contracts/bridges/polygon/PolygonBridgeReceiver.sol

5

contracts/bridges/vendor/fx-portal/contracts/FxChild.sol