code-423n4 / 2024-07-optimism-findings

3 stars 0 forks source link

squeezeLPP can be called on unfinalized proposals to write arbitrary data #98

Closed howlbot-integration[bot] closed 4 months ago

howlbot-integration[bot] commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-07-optimism/blob/70556044e5e080930f686c4e5acde420104bb2c4/packages/contracts-bedrock/src/cannon/PreimageOracle.sol#L657

Vulnerability details

Vulnerability details

Impact

When calling squeezeLPP(), it verifies that the proposal has been finalized for a duration of CHALLENGE_PERIOD seconds:

```solidity
if (block.timestamp - metaData.timestamp() <= CHALLENGE_PERIOD) revert ActiveProposal();
```

A vulnerability arises if the proposal was never finalized finalized because in such cases, metaInfo.timestamp() returns 0 and block.timestamo - metaDAta.timestamp() check will pass.

This allows for arbitrary encoded data to be added to previously initialized preimage when calling squeezeLPP, because it will update the storage with malicious data.

Tools Used

Eyes

Recommended Mitigation Steps


         if (metaData.countered()) revert BadProposal();
+        if (metaData.timestamp() == 0) revert ActiveProposal();
``

## Assessed type

Other
c4-judge commented 4 months ago

zobront marked the issue as satisfactory