Open c4-bot-9 opened 1 month ago
godzillaba (sponsor) acknowledged
We disagree with the severity and think this should be low/QA. We will add comments to the pause/unpause functions informing the admin that timers do not stop
Picodes marked the issue as satisfactory
Picodes marked the issue as selected for report
This report shows how in the event the contract is paused, the challenge period is effectively shorter, and it could eventually drop to a point where it's within the censorship budget of an attacker. As this is a core invariant of the system, and as it wasn't documented, I tend to accept this as a valid Medium-severity issue
This report shows how in the event the contract is paused, the challenge period is effectively shorter, and it could eventually drop to a point where it's within the censorship budget of an attacker. As this is a core invariant of the system, and as it wasn't documented, I tend to accept this as a valid Medium-severity issue
We respectfully disagree. Pausing and unpausing are highly trusted admin actions where in most case should be followed by a contract upgrade and/or force confirmation. If an emergency pause is performed, the censorship invariant is not expected to hold. Admin actions that lead to the protocol being stuck in suboptimal state should be considered as misconfiguration. I believe this should be Low risk at best.
past very similar issue is judged as medium
https://github.com/code-423n4/2024-03-taiko-findings/issues/170
also the code comments says:
the time spent paused should not be incremented in the rollup's timing for assertion validation.
impact is confirmation grace period that act as safe guard is bypassed when pausing.
Worth to note we don't currently have a pauser role, only the admin can pause so it is quite different than a system where a lower privileged admin can pause and unpause the protocol.
Regarding the severity of this issue, I added a comment in #3
I am still hesitating following all your comments on the correct decision for #3 and #7.
Note that these issues as well are related to the fact that invariants are broken following admin actions:
The sponsor's argument that admin actions are meant to be used only to deal with an emergency bug or an upgrade and that therefore it's intended that invariants do not hold anymore is convincing, but up to my knowledge wasn't clearly specified before the contest
Although I do agree with #3 and #7 and the overall fact that the consequence of admin actions on "usual" invariants were poorly documented, it seems that the intention of the sponsor was that indeed pausing or for fast confirming assertions is made for emergency or upgrade procedures and that therefore it's intended that special care must be taken and that once called, resuming operations isn't just calling "unpause", so it makes sense that invariant may be broken in this case.
Consequently, I believe these reports fit "state handling, function incorrect as to spec, issues with comments" more than "function of the protocol or its availability could be impacted".
I'll therefore downgrade #3 and #7 to QA.
Picodes changed the severity to QA (Quality Assurance)
For transparency, the selected for report
label was removed now that all QA votes have been received and a clear top scoring report has been determined.
Noting that the 'grade-a' label was added on behalf of the judge after receiving confirmation.
Lines of code
https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/6f861c85b281a29f04daacfe17a2099d7dad5f8f/src/rollup/RollupAdminLogic.sol#L145 https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/6f861c85b281a29f04daacfe17a2099d7dad5f8f/src/rollup/RollupUserLogic.sol#L110
Vulnerability details
Impact
According to the comment, the time spent paused should not be incremented in the rollup's timing for assertion validation. However, the rollup's timing does not take paused time into consideration in reality. As a result, adversary can censor transactions (within the censorship budget) and force incorrect assertion to be confirmed.
Proof of Concept
According to the contest doc
Suppose challengePeriodBlocks and confirmPeriodBlock are both 7 days. The steps are as following:
Since no one can make new assertions when the contract is paused, the adversary only needs to spend 6 days of censorship budget (to confirm an incorrect assertion) in this case.
require(block.number >= assertion.createdAtBlock + prevConfig.confirmPeriodBlocks, "BEFORE_DEADLINE");
As this line suggests, no special care for paused time is taken.Tools Used
Manual
Recommended Mitigation Steps
Make sure the time spent paused is not incremented in the rollup's timing for assertion validation.
Assessed type
Context