Open howlbot-integration[bot] opened 1 month ago
Invalid. The rollup would already have token to transfer to loser escrow since the first child would have sent token there. This is unless you try to create a second child on an assertion that is before latest confirmed, where the staker of latest confirmed had withdrawn his stake and thus the contract may have no fund. This edge case is out-of-scope tho because any assertion created on an assertion before latest confirmed should never be confirmable, and is ok to be reverted.
Downgrading to QA as the edge case scenario is indeed outside of the normal behavior of the system
Picodes changed the severity to QA (Quality Assurance)
Picodes marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/6f861c85b281a29f04daacfe17a2099d7dad5f8f/src/rollup/RollupUserLogic.sol#L210-L216 https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/6f861c85b281a29f04daacfe17a2099d7dad5f8f/src/rollup/RollupUserLogic.sol#L331-L342 https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/6f861c85b281a29f04daacfe17a2099d7dad5f8f/src/rollup/RollupUserLogic.sol#L366-L368 https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/6f861c85b281a29f04daacfe17a2099d7dad5f8f/src/assertionStakingPool/AssertionStakingPool.sol#L40-L46
Vulnerability details
Impact
Users will not be able to create assertions leading to a DOS on a core functionality of the protocol.
Proof of Concept
Note that the
IRollupUser
is not deployed with funds deposited in it.User’s create an assertion using the
AssertionStakingPool::createAssertion(...)
function, at a high level the order of execution is as shown belowI have marked the portions of interest (as
L1
,L2
,L5
andL7
) in this high level trace. Lets go over the important stepsL1
- the creator of the assertion gives therollup
contract allowance (1) to spend it’s stake in order to create the assertionL2
therollup
contract starts the creation of the assertionL5
therollup
contract transfers an equivalent of the users stake amount to theloserStakeEscrow
contract from it’s ownstakeToken
balance (at this point its balance may be less than therequiredStake
L7
therollup
contract collects the users stake from the userHowever, when there are no fund in the
rollup
contract, theAssertionStakingPool::createAssertion(...)
call will revert atL5
because in the current implementation, the order of execution requires that therollup
contract transfer funds to theloserStakeEscrow
before actually receiving the funds from the user who is creating the assertion.Poc Summary
stakeToken
balance of therollup
contract is zero or less thanrequiredStake
AssertionStakingPool::createAssertion(...)
to create a new assertionrequiredStake
but the function reverts because the rollup does not have up to the currentrequiredStake
amount of thestakeToken
Tools Used
Manual review
Recommended Mitigation Steps
Modify the
RollupUserLogic::newStakeOnNewAssertion(...)
function as shown belowThe
rollup
should move the funds from the user’s account before it callsstakeOnNewAssertion(...)
.Assessed type
DoS