nirohgo - The FGD l2BlockNumber (passed in extraData) can be any number, enabling a DOS on fund widthdrawals #205
Labels
Duplicate
A valid issue that is a duplicate of an issue with `Has Duplicates` label
Medium
A valid Medium severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Won't Fix
The sponsor confirmed this issue will not be fixed
nirohgo
high
The FGD l2BlockNumber (passed in extraData) can be any number, enabling a DOS on fund widthdrawals
Summary
A game's l2BlockNumber value is not checked to match the actual L2 block number being Claimed, which enables a DOS by creating and succsesfully resolving a game based on a valid rootClaim but with a uint256.max block number, preventing further games from running.
Vulnerability Detail
In the new Fault Proof system, games can only be created if the L2 block number they attempt to prove is larger than the last Anchor block of the same GameType. At the same time, when a game is created, the L2 block number it tries to prove is speficied in two places: 1. the latestBlockhash field of OutputRootProof (hashed into the the rootClaim Claim) 2. the extraData parameter. the first is used as part of the game execution process, while the second is used to identify the game's rootClaim block when checking that it is not earlier than the current anchor, and when setting the game as the new anchor (if it is resolved).
The root cause of this issue is that there is no validity check on the extraData block number and technically any block number can be used. This enables the following attack:
As a result, no withdrawal transaction that enters the L2 chain at a block larger then X+5 can be proven nor finalized (since no game can exist that proves its state)
POC
to
(which sets the extraData parameter to max uint256 without affecting the Claim)
2. run
pnpm build:go-ffi && forge test --match-path '*/FaultDisputeGame.t.sol' -vv
to see that all Fault Dispute Game tests run succesfully inspite of the change.3. add the following lines at the end of the test_resolve_validNewerStateUpdatesAnchor_succeeds funcion in test/dispute/FaultDisputeGame.t.sol:
pnpm build:go-ffi && forge test --match-test 'test_resolve_validNewerStateUpdatesAnchor_succeeds' -vv
See that after the attack, creating a new game fails with any block number.
Impact
A de-facto DOS preventing game creation/withdrawal prove/withdrawal finalization for any blocks and withdrawals following the previous anchor block (block X) that will last well over a week (on top of expected game duration, safety delays etc.). The combined effect is locked funds for over a week and denial of availability of time sensitive functions (game creation, game execution, widthdrawal proof, withdrawal finalization) making this high sevirity based on the Sherlock rule on DOS.
Code Snippet
https://github.com/sherlock-audit/2024-02-optimism-2024/blob/f216b0d3ad08c1a0ead557ea74691aaefd5fd489/optimism/packages/contracts-bedrock/src/dispute/FaultDisputeGame.sol#L513
Tool used
Manual Review
Foundry
Recommendation
As part of the game resolution process, validate the L2BlockNumber given in extraData and revert if the number is invalid.
Duplicate of #90
The text was updated successfully, but these errors were encountered: