Closed howlbot-integration[bot] closed 1 month ago
Invalid, all challenge from the same prev use the ECM stored in the prev even when ECM is changed for new assertions. In the diagram and POC, both D and E would use ECM1, children of D or E would use ECM2.
Picodes marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/main/src/rollup/RollupUserLogic.sol#L115-L128
Vulnerability details
Description
EdgeChallengeManager (a.k.a. ECM) can be upgraded during the life cycle of a rollup and this is officialized by an Admin calling
RollupAdminLogic::setChallengeManager
.Let say we have the following
assertion chain setup
, so 3 assertions successfully confirmed, but then the 4th one, we have a divergence, and only the assertion winning the challenge will be able to be confirmed.The problem arise with the following code from RollupUserLogic::confirmAssertion, the implementation assume that the ECM instance to retrieve the winningEdge information is the
same as the previous assertion
, but as you can see in my setupthat is not guaranteed
. So while indeed the assertion E is the winner (edge confirmed, but in ECM2 instance, not ECM1), the code here will not find the edge information andwill always revert
, so theassertion chain will be stuck
. The team will be able to resolve the problem bypausing the rollup
and callingRollupAdminLogic::forceConfirmAssertion
. This seems unexpected and seem to warrantMedium
severity.Impacts
Assertion chain
temporarily stuck
if an assertion divergence arise while an ECM upgrade had just happened and the winner is against the new ECM instance (while the previous assertion is against the old ECM instance)Proof of Concept
I will demostrate the setup described initially. We have 3 actors in play: Admin, Honest and Evil validator. 1) Admin deploy the Rollup and ECM contracts. Everything run smootly for days. 2) Evil validator submit assertion D. 3) Admin decides to upgrade the contract changing the staking requirement, which require a full upgrade and call
setChallengeManager
. 4) Honest validator submit assertion E. 5) Both assertion D and E are challenged, E wins the battle and his edge is confirmed (in the new ECM instance). 6) Honest validator callconfirmAssertion
but that will revert because ofrequire(winningEdge.claimId == assertionHash, "NOT_WINNER");
, as the winner edge will not be found in the previous ECM storage.Recommended Mitigation Steps
Add a
fallback to the current ECM
in case the edge is not found from the previous assertion ECM.Assessed type
Upgradable