search

sherlock-audit / 2023-01-optimism-judging

24 stars 10 forks source link

Handle - `getL2OutputIndexAfter` can return a incorrect index #240

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

Handle

medium

getL2OutputIndexAfter can return a incorrect index

Summary

The function getL2OutputIndexAfter can return a index that does not correspond to the paramater _l2BlockNumber

Vulnerability Detail

As said in L2OutputOracle.sol#L228-L235 the function getL2OutputIndexAfter Returns the index of the L2 output that checkpoints a given L2 block number however if the inputted parameter _l2BlockNumber does not exist it will still return a index making it seem like the value of _l2BlockNumber exist even though the index of the array will not correspond to the value of _l2BlockNumber

Impact

Code Snippet

    function getL2OutputIndexAfter(uint256 _l2BlockNumber) public view returns (uint256) {
        // Make sure an output for this block number has actually been proposed.
        require(
            _l2BlockNumber <= latestBlockNumber(),
            "L2OutputOracle: cannot get output for a block that has not been proposed"
        );

        // Make sure there's at least one output proposed.
        require(
            l2Outputs.length > 0,
            "L2OutputOracle: cannot get output as no outputs have been proposed yet"
        );

        // Find the output via binary search, guaranteed to exist.
        uint256 lo = 0;
        uint256 hi = l2Outputs.length;
        while (lo < hi) {
            uint256 mid = (lo + hi) / 2;
            if (l2Outputs[mid].l2BlockNumber < _l2BlockNumber) {
                lo = mid + 1;
            } else {
                hi = mid;
            }
        }

        return lo;
    }

Tool used

Manual Review

Recommendation

rcstanciu commented 1 year ago

Comment from Optimism

Description: getL2OutputIndexAfter can return a incorrect index

Reason: This report is false. The getL2OutputIndexAfter function reverts if the provided l2 block number is greater than the latest block number within the L2OutputOracle's l2Outputs array. The intended behavior of the function is that, for all inputs <= the latest block number in the l2Outputs array, the nearest index corresponding to a block number after or at the input block number will be returned. This is because the goal of the function is to find the "index of the first checkpoint that commits to the given L2 block number."