search

code-423n4 / 2024-07-optimism-findings

3 stars 0 forks source link

malicious user is possible front-run `challengeLPP` to get funds #104

Closed howlbot-integration[bot] closed 4 months ago

howlbot-integration[bot] commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-07-optimism/blob/0f8027921e621a9ac75d8eb20cbda873965e3b8a/packages/contracts-bedrock/src/cannon/PreimageOracle.sol#L568

Vulnerability details

Impact

proof data don't exist msg.sender message, malicious user can front-run and get profit from this

Proof of Concept

 function challengeLPP(
  ...
    bytes32 root = getTreeRootLPP(_claimant, _uuid);
    if (
    !(
@>    _verify(_preStateProof, root, _preState.index, _hashLeaf(_preState))
@>    && _verify(_postStateProof, root, _postState.index, _hashLeaf(_postState))
    )
    ) revert InvalidProof();
    ...
   // Pay out the bond to the challenger.
@>   _payoutBond(_claimant, _uuid, msg.sender);

Any challenger can challenge a block that was committed to in the merkle tree. The issue is the proof data don't exist challenger data, anyone notice on mempool can front-run the proof message and get the bond.

Tools Used

manual

Recommended Mitigation Steps

may should add caller limit in proof data.

Assessed type

MEV

c4-judge commented 3 months ago

zobront changed the severity to QA (Quality Assurance)

c4-judge commented 3 months ago

zobront marked the issue as grade-b