Closed howlbot-integration[bot] closed 1 month ago
gzeoneth (sponsor) disputed
Invalid. Hypothetical broken upgrade is out-of-scope and all proxy upgrade have upgrade risk. Upgrading ECM directly is also not standard procedure as setChallengeManager should be used instead.
This report is a speculation on a future upgrade so is invalid under C4 rules
Picodes marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/main/src/challengeV2/EdgeChallengeManager.sol#L429 https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/main/src/challengeV2/EdgeChallengeManager.sol#L580
Vulnerability details
The fact that
EdgeChallengeManager.sol
is upgradeble, if an Admin would be to upgrade the contract and updatestakeToken
and/orstakeAmounts
, that would result incritical consequences
.This report is related to
TOB-ARBCH-31
from the TrailOfBits audit which was identified asInformational
. Reader should read that finding prior to continue reading this report to get proper context. This report will provide additional information how this would have a critical impacts whichincrease the severity
of the original finding and how the current contratdoesn't prevent
an Admin todo such upgrade, coupled with the fact that not all the team member seems to be fully aware of this (see discussion from Discord, refer to last section), which seems to warrantMedium
severity overall.Impacts (stakeAmounts)
An upgrade implying a change in the staking requirement would be problematic (using WETH as stakeToken):
No stake
required -->100 WETH
stake required: A user which have created a level edge zero before the upgrade might be able to be refunded 100 WETH after the upgrade even if he didn't stake any at the edge creation (see POC).50 WETH
stake required -->100 WETH
stake required: This is very similar to impact 1. A user which have created a level edge zero before the upgrade might be able to be refunded 100 WETH (instead of his 50 WETH staked), so the difference betweem the new stake requirement-
the old stake requirement. Thisimpact is the most realistic
to be happening more often in production.100 WETH
stake required -->50 WETH
stake required: A user which have created a level edge zero before the upgradewill not
be able to get refunded his 100 WETH even if he did stake such amount at the edge creation since now the contract will refund only the new value, which is 50 WETH, sohalf
of his original value.100 WETH
stake required -->no stake
required: A user which have created a level edge zero before the upgradewill not
be able to get refunded his 100 WETH even if he did stake such amount at the edge creation since now the contract will skip the transfer, so he will getnothing
.Impacts (stakeToken)
address(0)
-->WETH
: Same as Impact #1.WETH
-->address(0)
: Same as Impact #4.WETH
-->WBTC
: This will be ok for direct users, but for pool's user that will becatastrophic
as switching to a new token would break the staking pool logic (both, assertion and edge) and users partipating in such pool wouldlost their entire stake
. The reason is since thestakeToken
is stored at pool creation (eg: WETH), whenEdgeChallengeManager
get upgraded to a new stakeToken (eg: WBTC), those tokens will still be transfered to the pool's contract when refunding/withdrawing occurs, but they will bestuck there forever
, as thesafeTransfer
fromwithdrawFromPool
will fail, as it will try to transfer the initial token (WETH) while the contract will now own new one (WBTC).Be aware that all the mentionned impacts are also affecting
EdgeStakingPool
contract users, which ultimatelly could represent Alice or Bob in the following PoC. There is a twist thought, in case ofImpact #2
, the additional token transfered to EdgeStakingPool would be stuck in it forever. The reason being thatdepositIntoPool
andwithdrawFromPool
will be limited to the amount having being accounted only, so the developer assumption here would be broken.Proof of Concept
This is showcasing
Impact 1
. We have 3 actors in play: Admin, Alice and Bob. 1) Admin deploy ECM contractwithout staking required
to create level zero edge. 2) Alice decide to create a challenge callingECM::createLayerZeroEdge
, no token are transfered as it'sstake free
. 3) Afterward (but before Alice challenge is completed), Admin decides to upgrade the contract changing the staking requirement, nowrequiring 100 WETH
to create a level zero edge. 4) Bob decide to create a level zero edge for different claim/assertion (so not an Alice's rival edge). 5) Once Alice's challenge period is completed, she is able to confirm his claim, and afterward callECM::refundStake
. Even if she haven't staked any token, the ECM will send her back the 100 WETH, and since the contract only own 100 WETH (staked by Bob in the previous step), so effectivelly stealing the Bob's stake. (user funds loss) 6) Once Bob has his claim confirmed later on (assuming he wins his claim/assertion too), callingECM::refundStake
will be an odd surprise as the call will revert, as the contract will lack funds. (protocol insolvency)Recommended Mitigation Steps
If an upgrade is required for the
stakeToken and/or stakeAmounts
, normal upgradecan't
be used, and only a complete upgrade which would also upgrade the proxy (so not re-use the storage) and officialize it withRollupAdminLogic::setChallengeManager
afterward. That should bedocumented very clearly and explicitly
as the current setup as the potential to break things down the road, but the proper fix would be to make those state variablesimmutable
, which would prevent this completely.Otherwise, you could track the staked amount/token inside the ChallengeEdge struct instead of having a single global instance and integrate it properly into ECM, that should allow to do normal upgrade. Here would be a draft implementation.
Discord private discussion
Here is a snapshot from my discussion with
godzillaba
, which as I interpret it, by using"i believe the standard procedure"
means to me that it's not 100% clear that a normal upgrade can't be done for staking requirements.Assessed type
Upgradable