PR: #37 feat(contracts): full Aave + Venus + PancakeSwap liquidation flow
Commit: 54fe2bb
File: contracts/src/CharonLiquidator.sol lines 305-312
Problem: After flash-loan repayment contract transfers profit directly to owner:
uint256 profit = finalBal - totalOwed;
if (profit > 0) {
IERC20(p.debtToken).transfer(owner, profit);
}owner set to msg.sender in constructor — the hot operational wallet that signs liquidation transactions. CLAUDE.md safety invariant requires profit to flow to a separate immutable cold wallet, not the hot signer. Compromised hot key therefore drains accumulated profit in the same transaction that executes liquidation.
Impact: Critical operational security failure. Hot wallet key phished or leaked → attacker crafts liquidation call routing profit directly to themselves, or key loss alone exposes entire revenue stream.
Fix: Add COLD_WALLET immutable:
address public immutable COLD_WALLET;
Accept as separate constructor argument (not msg.sender) and sweep profit to COLD_WALLET instead of owner. owner retains operational permissions; COLD_WALLET holds funds. Document distinct addresses requirement in NatSpec.
PR: #37 feat(contracts): full Aave + Venus + PancakeSwap liquidation flow
Commit: 54fe2bb
File: contracts/src/CharonLiquidator.sol lines 305-312
Problem: After flash-loan repayment contract transfers profit directly to
owner:ownerset tomsg.senderin constructor — the hot operational wallet that signs liquidation transactions. CLAUDE.md safety invariant requires profit to flow to a separate immutable cold wallet, not the hot signer. Compromised hot key therefore drains accumulated profit in the same transaction that executes liquidation.Impact: Critical operational security failure. Hot wallet key phished or leaked → attacker crafts liquidation call routing profit directly to themselves, or key loss alone exposes entire revenue stream.
Fix: Add COLD_WALLET immutable:
Accept as separate constructor argument (not msg.sender) and sweep profit to COLD_WALLET instead of owner.
ownerretains operational permissions; COLD_WALLET holds funds. Document distinct addresses requirement in NatSpec.