Closed howlbot-integration[bot] closed 4 months ago
gzeoneth (sponsor) disputed
Invalid. Misconfigurations are out-of-scope; challengePeriodBlocks
should be configured to the attacker censorship budget
Also in README:
It is assumed that off-chain computation costs are negligible, and honest validators can react to malicious action broadcasted on-chain immediately in the same block unless the malicious party spend their censorship budget.
Flagging as Out-of-Scope as shown by the sponsor.
Picodes marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/main/src/challengeV2/EdgeChallengeManager.sol#L511
Vulnerability details
Impact
If the difference between
challengePeriodBlocks
and the total unrivaled time of a malicious assertion claim is less than the delay between sending a transaction and mining that transaction, the malicious assertion claim will always win regardless of the total unrivaled time of the valid assertion claim.Proof of Concept
Please have a look at the following time demonstration for better understanding:
challengePeriodBlocks
in time.totalUnriveledTimeInTime(valid assertion claim) = challengePeriodBlocksInTime - tH
totalUnriveledTimeInTime(malicious assertion claim) = challengePeriodBlocksInTime - tA
confirmEdgeByTime
to confirm the malicious assertion claim.confirmEdgeByTime
to confirm the valid assertion claim, also the time that the evil party's rivaling and the new edge creation is mined.t1 + k + tH + k: the time that the honest party's confirmation tx is mined.
https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/main/src/challengeV2/EdgeChallengeManager.sol#L511
Happy Scenario:
Suppose the total unriveled time of the valid assertion claim is
challengePeriodBlocksInTime - tH
, so if the evil party delays onlytH
seconds in rivaling an edge, the honest party will win and can confirm the valid assertion claim by time by callingconfirmEdgeByTime
.t1
.k
seconds later. So, this tx is mined att1 + k
.tH
, the honest party interprets that the total unrivaled time of the valid assertion claim is nowchallengePeriodBlocksInTime - tH + tH
, so he is able to win by confirming it by time. So, the honest party sendsconfirmEdgeByTime
tx att1 + k + tH
to confirm the valid assertion claim.t1 + k + tH + k
. So, the valid assertion claim is confirmed, and the honest party wins.Unhappy Scenario:
Suppose the total unriveled time of the valid assertion claim is
challengePeriodBlocksInTime - tH
, so if the evil party delays onlytH
seconds in rivaling an edge, the honest party will win and can confirm the valid assertion claim by time by callingconfirmEdgeByTime
.Moreover suppose that total unriveled time of the malicious assertion claim is
challengePeriodBlocksInTime - tA
, so if the honest party delays onlytA
seconds in rivaling an edge, the evil party will win and can confirm the malicious assertion claim by time by callingconfirmEdgeByTime
.t1
.k
seconds later. So, this tx is mined att1 + k
.t1 + tH
.confirmEdgeByTime
att1 + tH + tA
to confirm the malicious assertion claim.tH
, the honest party interprets that the total unrivaled time of the valid assertion claim is nowchallengePeriodBlocksInTime - tH + tH
, so he is able to win by confirming it by time. So, the honest party sendsconfirmEdgeByTime
tx att1 + k + tH
to confirm the valid assertion claim.t1 + tH + k
. This tx rivals the honest party's edge as well as creating a new edge.confirmEdgeByTime
tx is mined att1 + tH + tA + k
erlier than the honest party's confirmation tx to be mined. So, the malicious assertion claim is confirmed, and the evil party wins.confirmEdgeByTime
tx is mined att1 + k + tH + k
, but it is reverted because its rival is already confirmed.Even if the honest party rivals the evil party's edge at time
t1 + k + tH
, it will be mined att1 + k + tH + k
which is too late because the evil party's confirm tx is mined att1 + k + tH + tA
.The only condition is that
tA <= k
.Example 1 (where tA < tH):
Honest party creates an edge at time 604000, and it is mined at
604000 + 48 = 604048
. The total unrivaled time of the valid assertion claim is604700
, so if the evil party makes delay of 100 seconds, the honest party can confirm the valid assertion claim. Moreover, the total unrivaled time of the malicious assertion claim is604776
, so if honest party makes delay of 24 seconds, the evil party can confirm the malicious assertion claim.Evil party sends a tx at
604000 + 100 = 604100
to rival the honest party's edge and also creates a new edge. Then the evil party sends a tx at604000 + 100 + 24 = 604124
to confirm the malicious assertion claim.The honest party notices at
604000 + 48 + 100 = 604148
that the total unrivaled time of valid assertion claim is now604700 + (604148 - (604000 + 48)) = 604800
which is equal to challengePeriodBlocksInTime. So, he sends the tx to confirm the valid assertion claim.The evil party's rival and new edge creation tx is mined at
604000 + 48 + 100 = 604148
.The evil party's confirmation tx is mined at
604000 + 48 + 100 + 24 = 604172
. This tx will be successful because the time this tx is mined, the total unrivaled time of malicious assertion claim is increased by 24 which makes the total equal to604800 = challengePeriodBlocksInTime
. So, the malicious assertion claim is confirmed, and the evil party wins.The honest party's confirmation tx will not be successful at
604800 + 48 + 100 + 48 = 604196
, because its rival is already confirmed.Example 2 (where tA > tH):
Honest party creates an edge at time 604000. The total unrivaled time of the valid assertion claim is
604795
, so if the evil party makes delay of 5 seconds, the honest party can confirm the valid assertion claim. Moreover, the total unrivaled time of the malicious assertion claim is604776
, so if honest party makes delay of 24 seconds, the evil party can confirm the malicious assertion claim.Evil party sends a tx at
604000 + 5 = 604005
to rival the honest party's edge (which is not still mined) and also creates a new edge. Then the evil party sends a tx at604000 + 5 + 24 = 604029
to confirm the malicious assertion claim.The honest party's edge creation is mined at
604000 + 48 = 604048
.The honest party notices at
604000 + 48 + 5 = 604053
that the total unrivaled time of valid assertion claim is now604795 + (604053 - (604000 + 48)) = 604800
which is equal to challengePeriodBlocksInTime. So, he sends the tx at604000 + 48 + 5 = 604053
to confirm the valid assertion claim.The evil party's rival and new edge creation tx is mined at
604000 + 48 + 5 = 604053
.The evil party's confirmation tx is mined at
604000 + 48 + 5 + 24 = 604077
. This tx will be successful because the time this tx is mined, the total unrivaled time of malicious assertion claim is increased by 24 which makes the total equal to604800 = challengePeriodBlocksInTime
. So, the malicious assertion claim is confirmed, and the evil party wins.The honest party's confirmation tx will not be successful at
604800 + 48 + 5 + 48 = 604101
, because its rival is already confirmed.Example 3 (where tA < tH & evil party is not precise):
So far, I was assuming that the evil party's rival and new edge creation is mined exactly at the time the honest party's confirmation tx is sent. This was just for simplicity, and it is not necessary. So, here I assume that the evil party has
x
seconds delay wherex <= k
.Honest party creates an edge at time 604000, and it is mined at
604000 + 48 = 604048
. The total unrivaled time of the valid assertion claim is604700
, so if the evil party makes delay of 100 seconds, the honest party can confirm the valid assertion claim. Moreover, the total unrivaled time of the malicious assertion claim is604776
, so if honest party makes delay of 24 seconds, the evil party can confirm the malicious assertion claim.Evil party sends a tx at
604000 + 100 + 12 = 604112
to rival the honest party's edge and also creates a new edge. Then the evil party sends a tx at604000 + 100 + 24 + 12 = 604136
to confirm the malicious assertion claim.The honest party notices at
604000 + 48 + 100 = 604148
that the total unrivaled time of valid assertion claim is now604700 + (604148 - (604000 + 48)) = 604800
which is equal to challengePeriodBlocksInTime. So, he sends the tx to confirm the valid assertion claim.The evil party's rival and new edge creation tx is mined at
604000 + 48 + 100 + 12 = 604160
.The evil party's confirmation tx is mined at
604000 + 48 + 100 + 24 + 12 = 604184
. This tx will be successful because the time this tx is mined, the total unrivaled time of malicious assertion claim is increased by 24 which makes the total equal to604800 = challengePeriodBlocksInTime
. So, the malicious assertion claim is confirmed, and the evil party wins.The honest party's confirmation tx will not be successful at
604800 + 48 + 100 + 48 = 604196
, because its rival is already confirmed.The root cause of this issue is that there is a delay between the time the honest party sends the confirmation tx and the time it is mined. If the evil party could engineer the time so that the confirmation of malicious assertion claim is mined between these two times, the evil party will always win the scenarios where
tA <= k
. In other words, the required total unrivaled time of malicious assertion claim to be confirmed should be equal or less than the delay between sending a tx and being mined.In summary, when the honest party notices that total unrivaled time of valid assertion claim is meeting the threshold, he sends the confirmation tx. There is some delay to have this tx mined. If the evil party during this time delay could mine his confirmation of malicious assertion claim, he is the winner.
Some important notes:
challengePeriodBlocksInTime + k
. In other words,k
is the extra time that honest party wastes. And this extra waste of time is the time window that the evil party can confirm the malicious assertion claim. That is why the only condition for this attack is to havetA <= k
.k
seconds earlier, it will be protected against this attack. Because, it will be minedk
seconds earlier, so that the evil party's confirmation will not be mined earlier than the honest party's. But, this is not true, because the honest party sends the confirmation tx as soon as he notices that the total unrivaled time of valid assertion claim is equal tochallengePeriodBlocksInTime
. In other words, if the honest party sends the confirmation tx earlier (when the total unrivaled time of valid assertion claim is not equal tochallengePeriodBlocksInTime
), it is not guaranteed that during the time this tx is being mined the evil party does not rival the edge and stops the timer. So, it is reasonable that the honest party be patient until he notices that total unrivaled time of the valid assertion claim is equal tochallengePeriodBlocksInTime
and then sends the confirmation tx.t1 + k + tH
or after (explained in example 3). In other words, it is mined after the honest party's confirmation tx is sent. Even if the honest party rivals this newly created edge, it will be mined afterk
seconds which is too late, because it will be mined after the evil party's confirmation tx is mined.challengePeriodBlocksInTime
(so he is not eligible to confirm it). But, the evil party knows that when this tx is mined the total unrivaled time of malicious assertion claim is eqaul tochallengePeriodBlocksInTime
. Becuase, he knows that the honest party will react to an edge when it is mined. So, the evil party sends the tx of confirmation shortly (tA
second) after the rival and new edge creation tx.k
seconds later, and accumulatingk
seconds in favor of the evil party. Since the evil party's confirmation tx is sent before the evil party's rival and new edge creation tx, the evil party's confirmation tx is mined earlier than the honest user's reaction.Tools Used
Recommended Mitigation Steps
It should be enforced that the confirmation tx should not be sent before the latest edge creation tx related to the assertion claim is mined.
Assessed type
Context