An invalid assertion can get confirmed, even when there are honest participants

[howlbot-integration[bot]]

Lines of code

https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/main/src/challengeV2/libraries/EdgeChallengeManagerLib.sol#L826-L830 https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/main/src/challengeV2/libraries/EdgeChallengeManagerLib.sol#L529

Vulnerability details

Impact

Even though an assertion is invalid, adversary can make it get confirmed just because some states within it were valid. Note that even though an honest party later proves the state that was invalid, it would be irrelevant cos the adversay block edge level has been confirmed, and timer set to max uint64.

Proof of Concept

Normally, if there are two rival assertions, it is expected that the honest participant would bisect his edge to the exact point where he disagrees with the adversary, and then oneStepProve that executing a step on the prevState(which everyone agrees on), would yield the state that he claimed.

Once honest participant does that, he can then:

• confirmEdgeByOneStepProof, which would update the timerCache of that proven singleStepEdge to uint64.max
• updateTimerCacheByClaim, which allows him to recursively update timerCache of parent levels(till he reaches block level) to timerCache of the singleStepEdge(i.e. uint64.max)

  function updateTimerCacheByClaim(
  EdgeStore storage store,
  bytes32 edgeId,
  bytes32 claimingEdgeId,
  uint8 numBigStepLevel
  ) internal returns (bool, uint256) {
  // calculate the time unrivaled without inheritance
  uint256 totalTimeUnrivaled = timeUnrivaled(store, edgeId);
  checkClaimIdLink(store, edgeId, claimingEdgeId, numBigStepLevel);
  @>  totalTimeUnrivaled += store.edges[claimingEdgeId].totalTimeUnrivaledCache;
  return updateTimerCache(store, edgeId, totalTimeUnrivaled);
  }

• confirmEdgeByTime for the block level edge, which checks that the edge's timerCache(in this case, uint64.max) is greater than confirmationThresholdBlocks.
• Now, the block level edge is confirmed, so he can confirmAssertion in the assertion chain after the confirmPeriodBlocks.

But the issue is, Adversary can create an invalid assertion and bisect it to a point where it was valid, and perform the steps outlined above.

For example,

• Honest party assertion claim state = ABCDEFGH
• Adversary claim state=ABCDEFGZ
• Adversary bisects his edge to the point where he is able to prove that SmallStepEdge B transitions to C
• Adversary calls confirmEdgeByOneStepProof to confirm his SmallStepEdge
• Adversary updateTimeerCacheByClaim till he reaches his Block Edge
• Adversary confirmEdgeByTime of his block edge, and would be able to confirmAssertion in the assertionChain after confirmPeriodBlocks

Tools Used

Manual Review

Recommended Mitigation Steps

onestepProving an edge should not immediately allow the parent block edge to be confirmable, as the bigger picture may be invalid. Only those that were able to oneStepProve all the singleStepEdges as requested by other rivals after the confirmationThresholdBlocks should be allowed to updateTimerCacheByClaim, and confirmEdgeByTime.

Assessed type

Context

[gzeoneth]

Invalid. It is not possible to bisect where two parties agree. In the protocol these are just the same edge - only rivals can be bisected. It is possible to create additional assertion that bisect to arbitrary point, but winning 1 OSP does not mean confirmation immediately since timer is min(upperChild,lowerChild). The attacker still need to accumulate time in the other edge and would give honest validator enough time to bisect properly.

[c4-judge]

Picodes marked the issue as unsatisfactory: Invalid