Closed github-actions[bot] closed 1 year ago
Comment from Optimism
Description: Validate the outputRoot
consistently
Reason: This is a non-issue. The proveWithdrawalTransaction
function validates that the _l2OutputIndex
passed corresponds to an existing output proposal in the L2OutputOracle
and that the _outputRootProof
passed hashes to the outputRoot
returned by the L2OutputOracle
. In addition, the _tx
passed is verified for inclusion within the _outputRootProof
's messagePasserStorageRoot
via the passed _withdrawalProof
.
ak1
medium
validate the
outputRoot
consistentlySummary
We observed that the outputRoot is not validated in all the places.
while the
outputRoot
is validated inL2OutputOracle.sol
in Line during theproposeL2Output
But, not in OptimismPortal.sol in the functionproveWithdrawalTransaction
. refer the linesVulnerability Detail
Refer the summary section.
Impact
Since the function
proveWithdrawalTransaction
is external, malicious user could call the proveWithdrawalTransaction function by crafting the the input parameters in following places which will not revert in all the validating places.https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/L1/OptimismPortal.sol#L193-L223
As a result, there will be plenty of transactions loaded in provenWithdrawals mapping.
provenWithdrawals is public function, the values will be stored in contract state which could consume gas by sitting idle. No one will be there to prove and complete the transaction.
Code Snippet
https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/L1/OptimismPortal.sol#L176-L186
Tool used
Manual Review
Recommendation
We suggest to validate the
outputRoot
consistently in all the places.