Open howlbot-integration[bot] opened 1 month ago
Picodes changed the severity to QA (Quality Assurance)
This previously downgraded issue has been upgraded by Picodes
This previously downgraded issue has been upgraded by Picodes
Picodes marked the issue as duplicate of #7
Picodes changed the severity to QA (Quality Assurance)
Picodes marked the issue as grade-b
Hi @Picodes,
Finding-55 has been upgraded to a Medium while only showing an invariant been broken.
Finding-55 does not outline a loss for the user, solely a small delay wrt the delay buffer. Can you revisit this finding group in the light of your new judgement? Since this finding group provides an example of an invariant being broken, which has been explicitly mentioned in the README.md
.
@bronzepickaxe 55 is about funds being stuck longer than they should, without any admin intervention, so it's not related to this group of reports
Lines of code
https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/6f861c85b281a29f04daacfe17a2099d7dad5f8f/src/rollup/RollupUserLogic.sol#L82-L89
Vulnerability details
Description
One of the assertions is:
As per the
BoLD paper
, honest assertions should be confirmed at most~14 days
. However, it is possible to pause the ability to confirm assertions by callingRollupAdminLogic.pause()
If this function gets called, any call made to
RollupUserLogic.confirmAssertion()
will fail due to the modifierwhenNotPaused
:This means that there are scenario's possible where an assertion will take longer than the
~14 days
described in theBoLD paper
, thus breaking this main invariant.Tools used
Manual Review
Recommended Mitigation Steps
Let the time run during a
pause()
to stop it from breaking the main invariant.Assessed type
Other