fibonacci - DisputeGameFactory DoS due to incorrect extra data #124
Labels
Duplicate
A valid issue that is a duplicate of an issue with `Has Duplicates` label
Medium
A valid Medium severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Won't Fix
The sponsor confirmed this issue will not be fixed
fibonacci
medium
DisputeGameFactory DoS due to incorrect extra data
Summary
Extra data is utilized to pass the block number during the creation of a dispute game. If a game is instantiated with a block number that is lower than a previously resolved one, the game creation process will revert. Сreating a game with an intentionally inflated block number could potentially prevent the creation of new games in the future.
Vulnerability Detail
Extra data passed to the dispute game is
abi.encode(uint256(l2BlockNumber))
, which is the L2 block number that the proposer claims that the submitted output root (therootClaim
) corresponds to.Upon game resolution, the
ANCHOR_STATE_REGISTRY
is updated. If the game is resolved with theDEFENDER_WINS
status, the block number is stored in the anchor registry state.During the initialization of a new game, there is a check to ensure that the provided block number is greater than the one stored in the anchor registry state. If this condition is not met, the creation of a new game reverts.
Therefore, if an attacker successfully resolves a game with a block number value, for example,
type(uint256).max
, no new games will be able to be created.Let's examine several scenarios that illustrate how this can be achieved:
OptimismPortal2::finalizeWithdrawalTransaction
process, there is a check to prevent users from creating invalid disputes.respectedGameType
is set to any type other than the dispute game.type(uint256).max
.DEFENDER_WINS
status. The attacker may not even resolve the game at this moment.respectedGameType
is changed to the dispute game, the attacker resolves the previously created game.respectedGameTypeUpdatedAt
. However,type(uint256).max
as the block number still ends up in the anchor registry state.Since the block number is not subject to validation during the game, an attacker can provide a valid
rootClaim
but extra data with an invalid block number and defend it.Additionally, according to the rules for this contest, there is an assumption that
FaultDisputeGame
can resolve incorrectly (e.g., can resolve toDEFENDER_WINS
when it should resolve toCHALLENGER_WINS
or vice versa). There is a protection mechanism, and such a game should be blacklisted afterwards. However, an invalid block number will be set in the anchor registry state anyway.Impact
This issue prevents the creation of new dispute games.
Code Snippet
https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/dispute/FaultDisputeGame.sol#L372-L374
https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/dispute/FaultDisputeGame.sol#L401
https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/dispute/AnchorStateRegistry.sol#L80-L86
https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/dispute/FaultDisputeGame.sol#L528-L539
Tool used
Manual Review
Recommendation
I do not have an exact solution. It seems like the design of storing the last resolved block number should be reviewed.
Duplicate of #90
The text was updated successfully, but these errors were encountered: