Closed howlbot-integration[bot] closed 1 month ago
Invalid. buffer.bufferBlocks
would be updated and the second condition will not be met (threshold ≤ max)
We also check the config is valid - https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/6f861c85b281a29f04daacfe17a2099d7dad5f8f/src/bridge/DelayBuffer.sol#L120
The report read the seconds condition incorrectly: the second condition buffer.bufferBlocks < bufferConfig_.threshold will also be true (since 100 < 50)
, whereas what the code do is correct: provided threshold < max
which is enforced here you can't enter both conditions
Picodes marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/6f861c85b281a29f04daacfe17a2099d7dad5f8f/src/bridge/SequencerInbox.sol#L851-L856
Vulnerability details
Impact
_setBufferConfig function src\bridge\SequencerInbox.sol:847-865
The following lines: src\bridge\SequencerInbox.sol:851-855
The problem is that these two conditions are not mutually exclusive, and the second condition can override the first condition's assignment.
For example, if
buffer.bufferBlocks
is initially 0, andbufferConfig_.max
is greater thanbufferConfig_.threshold
, the first condition will setbuffer.bufferBlocks
tobufferConfig_.max
. However, the second condition will then immediately setbuffer.bufferBlocks
tobufferConfig_.threshold
, effectively overriding the previous assignment.This behavior is likely unintended and could lead to unexpected results.
Proof of Concept
The purpose of the
_setBufferConfig
function is to update the buffer configuration based on the providedbufferConfig_
parameters. However, the two conditional statements that update thebuffer.bufferBlocks
value have overlapping conditions, which can result in unintended behavior.Here's a breakdown of the issue:
The first condition
buffer.bufferBlocks == 0 || buffer.bufferBlocks > bufferConfig_.max
checks if the currentbuffer.bufferBlocks
value is either zero or greater than the newbufferConfig_.max
value. If this condition is true, it setsbuffer.bufferBlocks
tobufferConfig_.max
.The second condition
buffer.bufferBlocks < bufferConfig_.threshold
checks if the currentbuffer.bufferBlocks
value is less than the newbufferConfig_.threshold
value. If this condition is true, it setsbuffer.bufferBlocks
tobufferConfig_.threshold
.For example, consider the following scenario:
Initial state:
buffer.bufferBlocks = 0
New configuration:bufferConfig_.max = 100, bufferConfig_.threshold = 50
In this scenario, the first conditionbuffer.bufferBlocks == 0 || buffer.bufferBlocks > bufferConfig_.max
will be true, andbuffer.bufferBlocks
will be set tobufferConfig_.max = 100
.However, the second condition
buffer.bufferBlocks < bufferConfig_.threshold
will also be true (since 100 < 50), andbuffer.bufferBlocks
will be overwritten withbufferConfig_.threshold = 50
.This behavior is likely unintended, as it violates the expected logic of setting
buffer.bufferBlocks
to the maximum value (bufferConfig_.max
) if it is initially zero or greater than the maximum.The impact of this issue can be significant, as it can lead to incorrect state updates and potentially cause the contract to behave unexpectedly in certain scenarios. This could have implications for the overall functionality and security of the contract, especially if the
buffer.bufferBlocks
value is used in other parts of the contract logic.To illustrate the concept further, here's an example of how the code could be modified to address the issue:
By using an
else if
statement instead of separateif
statements, the conditions are evaluated in the correct order, and the assignment ofbuffer.bufferBlocks
will be consistent with the intended behavior.Tools Used
Vs src\bridge\SequencerInbox.sol:847-865
Recommended Mitigation Steps
Combine the two conditions into a single
if
statement with appropriate logic:This way, the conditions are evaluated in the correct order, and the assignment of
buffer.bufferBlocks
will be consistent with the intended behavior.Assessed type
Error