rcstanciu
commented
1 year ago Comment from Optimism
Reason: We will wait for all deposits to be processed before starting state surgery. This includes waiting for the 20 minute window to appear on L2, since the DTL will not see the stop block until the confirmation depth has passed.
obront
high
User funds may be lost during migration when performed in a quick fashion
Summary
The migration process is not sufficient to prevent users from losing deposits. If deposits are made within the ~20 minute window before the migration process is performed, deposits that have not yet been processed on L2 will be permanently lost.
Vulnerability Detail
During migration, the sequencer performs state-surgery on the L2 state to guarantee withdrawals to L1 are respected as well as user's current ETH balances. Furthermore, in migration step 2 the L1CrossDomainMessenger is paused, making it impossible to deposit to L2. The steps described are Optimism's way of guaranteeing no funds can be lost during the migration.
Funds indeed can be lost during migration. In the old system, deposits have a 20-minute window until they appear on L2. After migration, the old L1->L2 bridging requests are no longer of any meaning. Therefore, if migration takes place in the 20 minutes after step 2 executes, the bridged value could be forever lost.
Since the migration process has been described as trustless and self-protecting, it is a clear violation of the safety guarantees expected.
Impact
User funds may be lost during migration.
Code Snippet
https://github.com/ethereum-optimism/optimism/blob/407f97b9d13448b766624995ec824d3059d4d4f6/op-chain-ops/genesis/db_migration.go#L37
https://github.com/ethereum-optimism/optimism/blob/407f97b9d13448b766624995ec824d3059d4d4f6/packages/contracts-bedrock/contracts/deployment/SystemDictator.sol#L214
Tool used
Manual Review
Recommendation
Add a check in
db_migration.go, that ensuresstep2(), the shutting down of new deposits, has taken place over 20 minutes ago.