Closed howlbot-integration[bot] closed 4 months ago
gzeoneth (sponsor) disputed
Expected behavior, owner (or governance) should consider the risk when changing any parameters. Misconfigurations are out-of-scope.
Picodes marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/main/src/bridge/SequencerInbox.sol#L847
Vulnerability details
Impact
Buffer will be modified with new parameters for periods where the old parameters were active, harming either the users (if it increases) or the sequencer (if it decreases and lowers it too much).
Proof of Concept
SequencerInbox::_setBufferConfig()
modifies the parameters of the buffer, includingbuffer.bufferBlocks
,buffer.max
,buffer.threshold
,buffer.replenishRateInBasis
. If no delayed messages are present (the sequencer is synced), it updates the buffer up toblock.number
, but in this calculation uses the new parameters instead, leading to a different buffer. This alone should be performed before changing the parameters, as the previous buffer period had different parameters.More impactul is when there are unread delayed messages. In this case, the parameters will be updated, and the past users that had already queued their messages will be subjected to sudden different buffer delays.
Add the following test as a POC to
SequencerInbox.t.sol
. Here areplenishRate
change was tested, but it may also happen to a threshold or max change.Tools Used
Vscode
Foundry
Recommended Mitigation Steps
Move the update logic to before the parameters are changed. Also, if the delayed messages are not synced, it should probably better to sync them first or similar.
Assessed type
Context