Incident Report: Implementation contract self-destruct bug

Start, End [7/10/18 0023 UTC - 12:56 7/11/17 0056 UTC]
Impact No known impact
Root cause summary No resilience to implementation contracts being self-destructed

Timeline and Impact

2020-12-30 19:22 UTC Nam reads an incident report and suspects Celo contracts might be vulnerable
2020-12-30 19:30 UTC Martin confirms vulnerability, notifying Asa and Tim
2020-12-30 10:10 UTC Nam finalizes fix to initialize implementation contracts, Martin verifies fix on staging testnet
2020-12-31 6:45 UTC Tim completes run of the initialization fix against all known ReleaseGold deployments on a fresh ledger wallet, contracts should be safe now

Root Causes

  • Celo’s upgradable contracts rely on implementation contracts to be available. What was missed is that implementation contracts can be self-destructed. No Celo Core Contract includes bytecode to delegatecall or self-destruct, but ReleaseGold does.

Reflection

Previous similar incidents

Things that went well

Things that didn’t go well

Actions [Proposed]

  • CLI command to assess vulnerability of a given ReleaseGold contract
  • Write script/tests that check that implementation contracts don’t have unintentional delegatecalls or self-destructs
  • Initialize implementation contracts as part of RG/core contract deploys

Issues Created

Run book Changes

Tactical Tensions

Governance Tensions