Buffer Depletion Vulnerability in DelayBuffer Library

[howlbot-integration[bot]]

Lines of code

https://github.com/AnasTur/2024-05-arbitrum-foundation/blob/fa413646bb4776c114234bcde97bab901f3653e0/src/bridge/DelayBuffer.sol#L33

Vulnerability details

Vulnerability:

The calcBuffer() function has a potential vulnerability in the following scenario:

• The threshold is set to a high value, allowing for a significant delay in message processing.
• A malicious user submits a batch of messages with a delay greater than the threshold.
• The calcBuffer() function depletes the delay buffer by the amount of the delay, even though only a portion of the messages in the batch are actually delayed.

This allows the malicious user to force the sequencer to process a large number of messages without having to wait the full threshold time.

Exploitation:

1. Submit a batch of messages with a delay greater than the threshold.
2. Monitor the delay buffer and note the amount it is depleted.
3. Submit another batch of messages with the same delay.
4. The calcBuffer() function will again deplete the buffer by the amount of the delay, even though only a portion of the messages in the second batch are actually delayed.
5. Repeat steps 3 and 4 until the sequencer runs out of buffer space.

Impact:

• The sequencer may process messages that are not actually delayed, leading to incorrect ordering of transactions.
• This vulnerability can potentially allow a malicious user to bypass the delay buffer and force the sequencer to process messages at an arbitrary time.

Mitigation:

• Limit the threshold to a reasonable value.
• Use a mechanism to verify the actual delay of messages before depleting the buffer.
• Consider implementing additional safeguards to prevent malicious manipulation of the delay buffer.

Assessed type

Timing

[c4-sponsor]

gzeoneth (sponsor) disputed

[gzeoneth]

Unclear POC, misconfiguration is out-of-scope

[c4-judge]

Picodes marked the issue as unsatisfactory: Insufficient proof