This repository has been archived by the owner on May 26, 2023. It is now read-only.
lemonmon - deposits: the sourceHash of L1 attributes deposited
#162
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
Reward
A payout will be made for this issue
Specification
An issue related to the specification (low severity)
Comments
github-actions
bot
added
Has Duplicates
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
lemonmon
low
deposits: the
sourceHashof L1 attributes depositedSummary
The calculation of
sourceHashfor L1 attributes deposited is incorrect.Although, it is a very small difference, because of the misplaced blacket, it means a different thing with a different result from the actual calculation.
Vulnerability Detail
According to the specs, the
sourceHashof L1 attributes deposited is calculated based on:https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/specs/deposits.md?plain=1#L92
It means the
l1BlockHashwill be hashed alone, before it is hashed with other values. However,l1BlockHashandseqNumbershould be hashed together, as the actual calculation in thedeposit_source.go:https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/op-node/rollup/derive/deposit_source.go#L35-L46
Therefore, the line should be corrected as following:
Impact
factually incorrect information
The calculation of
sourceHashin the specs will give a different result from the actual code.Code Snippet
https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/specs/deposits.md?plain=1#L92
https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/op-node/rollup/derive/deposit_source.go#L35-L46
Tool used
Manual Review
Recommendation
correct the calculation
The text was updated successfully, but these errors were encountered: