Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(contracts): OZ-L2-L07 Block Container Does Not Enforce Whitelist #651

Merged
merged 2 commits into from Jul 24, 2023
Merged

fix(contracts): OZ-L2-L07 Block Container Does Not Enforce Whitelist #651

merged 2 commits into from Jul 24, 2023

Conversation

zimpha
Copy link
Member

@zimpha zimpha commented Jul 17, 2023

Purpose or design rationale of this PR

This PR fix the bug (L-07 Block Container Does Not Enforce Whitelist) reported by OpenZeppelin. The following are the details:

In the L1BlockContainer contract, the importBlockHeader function can be called by anyone if the whitelist address has not been initialized.

The block container contract is used to check the state root when doing an inclusion proof in the verifyMessage{Inclusion|Execution}Status function. Hence, an attacker can determine which messages are seen as sent or executed on L1. Although the attacker cannot relay or retry any message on L2 because they are not the L1ScrollMessenger address, they can overwrite the state root to make retry messages fail.

Consider preventing the importBlockHeader function to be called if the whitelist address is zero.

PR title

Your PR title must follow conventional commits (as we are doing squash merge for each PR), so it must start with one of the following types:

  • build: Changes that affect the build system or external dependencies (example scopes: yarn, eslint, typescript)
  • ci: Changes to our CI configuration files and scripts (example scopes: vercel, github, cypress)
  • docs: Documentation-only changes
  • feat: A new feature
  • fix: A bug fix
  • perf: A code change that improves performance
  • refactor: A code change that doesn't fix a bug, or add a feature, or improves performance
  • style: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
  • test: Adding missing tests or correcting existing tests

Deployment tag versioning

Has tag in common/version.go been updated?

  • No, this PR doesn't involve a new deployment, git tag, docker image tag
  • Yes

Breaking change label

Does this PR have the breaking-change label?

  • No, this PR is not a breaking change
  • Yes

@zimpha zimpha added the bug Something isn't working label Jul 17, 2023
@zimpha zimpha self-assigned this Jul 17, 2023
@github-actions
Copy link

github-actions bot commented Jul 17, 2023
edited

LCOV of commit 25aa491 during Contracts #1171

Summary coverage rate:
  lines......: 52.2% (894 of 1714 lines)
  functions..: 69.5% (203 of 292 functions)
  branches...: no data found

Files changed coverage rate: n/a

@HAOYUatHZ HAOYUatHZ merged commit f56997b into develop Jul 24, 2023
3 checks passed
@HAOYUatHZ HAOYUatHZ deleted the fix/block_container_does_not_enforce_whitelist branch July 24, 2023 14:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Thegaram Thegaram Thegaram approved these changes

Assignees

@zimpha zimpha

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@zimpha @Thegaram @HAOYUatHZ