Open c4-bot-1 opened 3 months ago
hey @Picodes thanks so much for judge this, this is not been invalidated in the validation repo but its not in the findings repo, thank for take a look of this issue. the problem here is that there is not validation for l1BlockAndTime[0]
allowing a malicious attacker misconfig the buffer.
It need to match messageHash
and block/timestamp in the delayed inbox is strictly increasing.
@jorgect207 the validation is done with messageHash
Lines of code
https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/6f861c85b281a29f04daacfe17a2099d7dad5f8f/src/bridge/SequencerInbox.sol#L310
Vulnerability details
The buffer it is a way of limiting repeated sequencer censorship of delayed inbox messages. (took it directly by @godzillaba from discord chat arbitrum code4arena)
This buffer is been update in
forceInclusion
function (see the arrow below):[Link]
[Link]
The problem is that the
l1BlockAndTime
can be passed with al1BlockAndTime[0]
arbitrary value so low and the checks are passing. this successfully set theself.prevBlockNumber
see the arrow above in the update function to a incorrect value.Impact
A malicious user can misconfigure the buffer leading to error in
calcPendingBuffer
and also theisSynced
function return value can be manipulated to make the contract believe thatisSynced
but it not.Proof of Concept
We can see that forceInclusion functions is calling
update
in the delay buffer library which is settingself.prevBlockNumber = blockNumber
.[Link]
[Link]
The
calcPendingBuffer
functions is calling[Link]
see the
calcBuffer
function:[Link]
As you can see this function is not reverting is the
l1BlockAndTime[0]
which is theend
input is not less than thestart
instead the function is just setting the elapse to zero the problem is that thisl1BlockAndTime[0]
was set to theprevBlockNumber
in the update function:[Link]
Tools Used
Manual
Recommended Mitigation Steps
Since the end can not be before to the start a revert can be add it in
calcBuffer
see the arrow aboveAssessed type
Other