Closed howlbot-integration[bot] closed 3 months ago
This is invalid because the attacker doesn't control the code executed by the VM and is therefore unable to call mmap
with arbitrary values. The program being executed is part of the ABSOLUTE_PRESTATE
of the fault dispute game which is op-program
compiled for MIPS in the current game configuration.
zobront marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-07-optimism/blob/main/packages/contracts-bedrock/src/cannon/MIPS.sol#L151
Vulnerability details
Impact
The handleSyscall() function contains a vulnerability in the current implementation of the
mmap
syscall(syscall number 4090)
. This function allows for uncontrolled memory allocation, with an attack vector leading to potential DOS or excessive gas consumption.Steps to Exploit:
mmap
syscalls with large a1 values.state.heap
without limit.It can lead to significant resource waste, causing transactions to fail and thereby potentially disrupting the system's overall functionality.
Proof of Concept
Vulnerable code here, from handleSyscall():
Above code allows for arbitrary memory allocation without upper bound checks. This enables an attacker being able to exploit this, by repeatedly calling the
mmap
syscall with large sizes, causing thestate.heap
to grow indefinitely and way too much.Foundry PoC that should pass on your end, proving this vulnerability:
Tools Used
Manual review, Vscode & Foundry for PoC, AuditWizard
Recommended Mitigation Steps
Add an upper bound for the total heap size, and add checks to prevent excessive memory allocation in a single
mmap
call. And add a mechanism to track and limit the total memory allocated across multiplemmap
calls.Fix:
Assessed type
DoS