Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(contracts): OZ-L07 Potentially Misleading Verifier Event #849

Merged
merged 4 commits into from Aug 25, 2023
Merged

fix(contracts): OZ-L07 Potentially Misleading Verifier Event #849

merged 4 commits into from Aug 25, 2023

Conversation

zimpha
Copy link
Member

@zimpha zimpha commented Aug 22, 2023

Purpose or design rationale of this PR

This PR partially fixed the issue reported by Openzepplin (L-07 Potentially Misleading Verifier Event). The following are the details:

The MultipleVersionRollupVerifier contract maps the batch index to the address of the verifier that was used. The owner of this contract can call the updateVerifier function in order to update the verifier. For this update to succeed, it requires that the provided startBatchIndex is greater than or equal to the previous verifier's startBatchIndex.

However, it does not check if that batch number has already been verified by the current verifier, which could be confusing. For example, if the current verifier's start index is 100, and it has verified batches up to batch 105, the new verifier could be set with a start index of 102. The event emitted would contain the index of 102, which would be confusing because it would appear to a user monitoring the events as though the new verifier was used to verify the batches 102-105 when in reality it was not. This could even be used maliciously by the owner to hide information relating to a faulty verifier.

Consider enforcing that the start index must be greater than the lastFinalizedBatchIndex.

PR title

Your PR title must follow conventional commits (as we are doing squash merge for each PR), so it must start with one of the following types:

  • fix: A bug fix

Deployment tag versioning

Has tag in common/version.go been updated?

  • No, this PR doesn't involve a new deployment, git tag, docker image tag
  • Yes

Breaking change label

Does this PR have the breaking-change label?

  • No, this PR is not a breaking change
  • Yes

@zimpha zimpha added the bug Something isn't working label Aug 22, 2023
@zimpha zimpha self-assigned this Aug 22, 2023
iczc
iczc previously approved these changes Aug 22, 2023
View reviewed changes
@codecov
Copy link

codecov bot commented Aug 25, 2023
edited

Codecov Report

Merging #849 (6f3f59b) into develop (e08b800) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff            @@
##           develop     #849   +/-   ##
========================================
  Coverage    51.28%   51.28%           
========================================
  Files           60       60           
  Lines         5588     5588           
========================================
  Hits          2866     2866           
  Misses        2483     2483           
  Partials       239      239
Flag Coverage Δ
bridge 63.51% <ø> (ø)
common 55.43% <ø> (ø)
coordinator 19.15% <ø> (ø)
database 42.85% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

@github-actions
Copy link

LCOV of commit 6f3f59b during Contracts #1314

Summary coverage rate:
  lines......: 54.1% (972 of 1798 lines)
  functions..: 71.1% (216 of 304 functions)
  branches...: no data found

Files changed coverage rate: n/a

@HAOYUatHZ HAOYUatHZ merged commit 7d50699 into develop Aug 25, 2023
22 checks passed
@HAOYUatHZ HAOYUatHZ deleted the fix/potentially_misleading_verifier_event branch August 25, 2023 02:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iczc iczc iczc left review comments

Assignees

@zimpha zimpha

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@zimpha @iczc @HAOYUatHZ