Closed howlbot-integration[bot] closed 1 month ago
Invalid. The rollup will not be drained because funds are only sent to the escrow if isFistChild is false, which is not possible in the POC. The malicious validator is still slashed for one stake, because they’ve made one dishonest branch in the assertion tree. Honest parties are not burdened by additional work in the proposed scenario.
Picodes marked the issue as unsatisfactory: Invalid
hey @gzeoneth and @Picodes thanks so much for the judging.
In my POC i just demonstrating that validators can unstake no matter if his assertion is not confirmed but yes if it has a child. So matter if he made a bad assertion he can withdraw as long as this assertion has a child. see my proof of concept. this break the invariant that a validator get slashed for doing bad assertions.
It is ok because the attackers (collectively) is still being slashed by no less than 1 stake.
hey @gzeoneth the problem is that an attacker can withdraw his eth once his assertion has a child, and reuse this same eth to make a new assertion, on top of the assertion made in his first assertion.
See the scenario that i describe in my submission:
Validator always get back his stake in step 3, because the contract is allowing unstake even if the assertion is not confirmed as long as it has one child. if a malicious validator control 2 stacker, he can just keep doing the same creating new child in his owns bad assertions and getting back his eth each time that a child is created. and the contract is sending the requiredStake
to the scow in each child created.
Thanks so much for your time @gzeoneth, i know that is too valuable so i appreciate that.
child of an incorrect assertion does not matter, it will never be confirmable nor causes any delay
https://github.com/code-423n4/2024-05-arbitrum-foundation
The resolution of challenges that do not involve honest claims are out of scope unless they lead to incorrect assertions being confirmed
honest validator does not stake on invalid branch, child assertion of invalid assertions are considered irrelevant and is out-of-scope
Lines of code
https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/6f861c85b281a29f04daacfe17a2099d7dad5f8f/src/rollup/RollupCore.sol#L572
Vulnerability details
Validator can unstake if their assertions is the last confirmed (see the the first arrow below) or his assertion has already a first child(see arrow below):
[Link]
Other point to understand the vulnerability is that validators can create a new assertion with non confirmed parents assertions(a parent is the past assertion). with that been said An attacker can control 2 validators and do the next steps:
newStakeOnNewAssertion
).returnOldDeposit
since the assertion of the validator number 1 has already a child he can withdraw.returnOldDeposit
and withdraw his money.an attacker can keep doing this indefinitely leading to some problems:
[Link]
Each time that a assertion is created a amount equivalent to the
requiredStake
is been sent it to theloserStakeEscrow
, successfully letting without funds the rollup contract.Impact
This vulnerability has different impacts:
Proof of Concept
Run the next proof of concept in
file:/test/Rollup.t.sol
The point of the proof of concept is demonstrate that validators can unstake no matter if his assertion is not confirmed but yes if it has a child. if the assertion is invalid they already unstake and can trick the protocol as i writed in the description.
Tools Used
Manual, foundry
Recommended Mitigation Steps
Consider don't allow validator to withdraw his stake until his assertion have been confirmed.
Assessed type
Other