F-2025-0002·centralization-risk
Upgrade Permission for the Protocol Assigned to the Project Owner
TL;DR
Upgrade authority is gated on the contract owner (the project team) instead of TokenTable, letting a malicious project owner deploy a custom implementation that bypasses fee collection.
Severity
LOW
Impact
LOW
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description
Description
In the protocol, there are two roles:
- The
MDCreate2contract controlled by TokenTable, which is responsible for initialising the contracts inheriting fromBaseMerkleDistributorand includes the fee parameters required for token distribution. - The contract owner, which is controlled by the project team responsible for the token distribution.
However, the upgrade privilege is assigned to the contract owner, which can lead to potential issues.
solidity
// solhint-disable-next-line no-empty-blocksfunction _authorizeUpgrade(address newImplementation) internal virtual override onlyOwner { }
It gives the project owner control to upgrade the distribution contracts.
03Section · Impact
Impact
The project team can upgrade the contract and set the deployer address to a malicious implementation they control. This allows them to bypass paying fees to TokenTable or even take the fees for themselves.
04Section · Recommendation
Recommendation
Removal of the upgradability option.
05Section · Resolution
Resolution
TokenTable: Fixed in c991b09f8da9eba24b0a789e6c7cb332d0394f40.
Status
Fixed
Fix commit
c991b09f8da9
