Open howlbot-integration[bot] opened 2 months ago
There is no sensitive data to read or write - the contracts are stateless. An attacker also has no control over the program running in the VM - that is defined by the absolute prestate. The attack vectors mentioned all require manipulating fields in the state, but this is the same as posting an invalid claim. An honest actor will just counter the invalid claim.
zobront marked the issue as unsatisfactory: Invalid
@CrystallineButterfly After further discussion with the sponsor, I believe this issue fits into the same category of others that have been accepted:
While this doesn't point to a specific deviation from the MIPS spec, it does fit the same criteria as above. For that reason, I will be upgrading the issue back to Medium (as the others of this type are) and including it in the final report.
zobront marked the issue as satisfactory
zobront marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2024-07-optimism/blob/main/packages/contracts-bedrock/src/cannon/MIPS.sol#L538
Vulnerability details
Impact
The readMem() and writeMem() functions do not properly validate the memory address being accessed. This could lead to unauthorized access to memory outside the intended ranges, which could then allow a black hat to read or modify sensitive data, in creative ways. As the contract is using a
32-bit
address spaceuint32
foraddresses
without implementing proper bounds checking, possibly then allowing access to the entire 4GB address space.Specific attack vectors:
preimageKey
and/orpreimageOffset
to gain unauthorized access to preimage data.pc
ornextPC
values to alter program flows, even possible paths to bypass security checks.exitCode
orexited
flags to prematurely terminate or continue execution inappropriately.Proof of Concept
The bug leading to the attack vectors mentioned, is present in both readMem() and writeMem() functions but here is the relevant snippet of readMem():
The function only checks for
4-byte
alignment but does not validate if the address is within the allowed memory range.Add the below foundry test function to MIPS.t.sol to show the bug, will need to fix setup when running if bugs occur:
I did this PoC to:
Tools Used
Manual review, VsCode, Foundry, AuditWizard
Recommended Mitigation Steps
MAX_MEMORY_ADDRESS
based on the specificMIPS
implementation as of current and memory layout used in the contract. Theconstant
should be set to limit the accessible memory range to only what is actually necessary, bounded specifically, to prevent gaps that can be targeted by creative black hats.Assessed type
Context