lemonmon - FaultDisputeGame:move
can be called after resolveClaim
makes the game unable to be resolved
#168
Labels
Non-Reward
This issue will not receive a payout
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
lemonmon
high
FaultDisputeGame:move
can be called afterresolveClaim
makes the game unable to be resolvedSummary
Depending on how the time was spent by each team, move/attack/defend may be able to be called on resolved claim. It will lead to un-resolvable game, resulting in the frozen bond and it may undermine withdrawal process of OptimismPortal2.
Vulnerability Detail
In the proof of concept below shows a case where
attack
was made on a resolved claim, ending up the game to be frozen (not resolvable anymore):In below code the following scenario is played out:
0(root) - 1 - 2 - 3 -4
. Note that the challenger team tooke longer time than the defender team.resolve
function cannot be resolved for the same error ofOutOfOrderResolution
.Note that alice does not care about the game's resolution, therefore she will just pick a side with less time left, resolve any node from that team when it is possible to resolve, then make a move on the resolved node. Given it is more common to have different durations of the game spent by each team, it is likely that a malicious actor can find such a time window for many games. Therefore, it is very well possible to keep diasbling games using this vulnerability, resulting in freezing the withdrawals on the OptimismPortal2 for a while.
Also note that alice herself does not lock the bond for herself as she can resolve her own node. It means the cost of attack is not as high as the damage caused.
If the optimism protocol notices these rogue activities, they can recover all funds locked using the owner account of the DelayedWETH. Also, the Alice may lose her bonds, if the rescue of fund was before her withdrawal. Nevertheless, the optimism team will not make the game to resolve once the game is in this frozen state.
The cause of the bug is from mismatch the checks between
https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/dispute/FaultDisputeGame.sol#L268-L284
https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/dispute/FaultDisputeGame.sol#L412-L416
As it was shown in the example above, there might be a moment in time when it is possible to resolve a node, yet it is also possible to make a move on the node. If it happens in that order, the node in question cannot be resolved, since it is already resolved. At the same time, since a new move was made on the node, the node has this new child. This leads to OutOfOrder resolution, if any node upwards is tried to be resolved.
Impact
It gives malicious actors relatively cheap way (unless they get caught in time) to freeze the withdrawal process, by disable any resolution of games.
Code Snippet
https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/dispute/FaultDisputeGame.sol#L268-L284
https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/dispute/FaultDisputeGame.sol#L412-L416
Tool used
Manual Review
Recommendation
Due to the complexity of the game contract and the intention of the protocol, it is unclear what would be the best way to mitigate this issue.
One possibility is to wait for the full
GAME_DURATION
to resolve any claim. However, it will essentially double the delay, which is probably not desireable.The text was updated successfully, but these errors were encountered: