c4-bot-10 commented 3 months ago

Lines of code

https://github.com/code-423n4/2024-07-optimism/blob/70556044e5e080930f686c4e5acde420104bb2c4/packages/contracts-bedrock/src/cannon/PreimageOracle.sol#L605 https://github.com/code-423n4/2024-07-optimism/blob/70556044e5e080930f686c4e5acde420104bb2c4/packages/contracts-bedrock/src/cannon/PreimageOracle.sol#L636

Vulnerability details

Large preimage proposals (LPP) allow submitting a large Keccak256 preimage via a mechanism secured by a challenge period upon proposal finalization.

During this challenge period, honest contributors are expected to monitor on-chain activities and challenge bogus proposals by operating a challenger node or an equivalent verification tool. In case of a successful challenge, the PreimageOracle contract pays out the proposer's bond to the caller:

File: PreimageOracle.sol
567:     /// @notice Challenge a keccak256 block that was committed to in the merkle tree.
568:     function challengeLPP(
569:         address _claimant,
570:         uint256 _uuid,
---
576:     )
577:         external
578:     {
---
604:         // Pay out the bond to the challenger.
605:         _payoutBond(_claimant, _uuid, msg.sender);
606:     }
607: 
608:     /// @notice Challenge the first keccak256 block that was absorbed.
609:     function challengeFirstLPP(
610:         address _claimant,
611:         uint256 _uuid,
---
614:     )
615:         external
616:     {
---
635:         // Pay out the bond to the challenger.
636:         _payoutBond(_claimant, _uuid, msg.sender);
637:     }

The problem with this approach is that an MEV searcher needs very little sophistication to detect their challenge transaction and frontrun it for a profit. Generalized frontrunners in their most basic form will simulate every transaction in the mempool from their address and frontrun it if they can derive a profit from it, which will be the case here. Hence, these bonds can be expected to be lost to outside parties.

At the same time, also the proposer of the LPP can front-run challenges to their own proposal, allowing them to prevent the bond loss meant to disincentivize the proposal of incorrect preimages.

Impact

Honest participants to the LPP challenge game are very likely to see their challenge incentive stolen by MEV searchers
Proposers can circumvent the bond loss meant to disincentivize the proposal of incorrect preimages

Proof of Concept

An honest participant (Alice) is running the a challenger node
Bob submits and finalizes an incorrect LPP
Alice detects this incorrect LPP and submits a transaction to challenge this LPP
A MEV searcher (Charlie) simulates Alice's transactions, detects the native tokens transfer, and frontruns Alice's transaction
Alice's transaction fails, and the bond, rewarding Alice's participation, goes to Charlie

Tools Used

Code review, Foundry

Recommended Mitigation Steps

Deliver successful challenge funds to the Optimism treasury. Honest challengers are already incentivized to challenge incorrect LPPs, as they stand to lose the dispute game otherwise. Bonds recouped from malicious LPP challenges are better spent this way rather than extracted by outside parties.

Assessed type

MEV

c4-judge commented 3 months ago

zobront changed the severity to QA (Quality Assurance)