Closed github-actions[bot] closed 1 year ago
rcstanciu
commented
1 year ago Comment from Optimism
Description: Legacy withdrawals can be immediately finalized after migration, even if they are less than 7 days old
Reason: This is not true. Rather legacy withdrawals will be subject to a 7 day finalization window even if they are more than 7 days old.
zobront
commented
1 year ago Escalate for 250 USDC
It appears this report was misunderstood by the judges. Here is the response:
Description: Legacy withdrawals can be immediately finalized after migration, even if they are less than 7 days old
Reason: This is not true. Rather legacy withdrawals will be subject to a 7 day finalization window even if they are more than 7 days old.
That description is not what the report is saying. We understand that all withdrawals are subject to a full additional 7 days after the migration.
The issue is that, during those 7 days, there is no way to challenge them. Since all nodes must follow the sequencer through the migration process to arrive at the post-Bedrock state, there is no long any way invalidate state transitions that happened pre-Bedrock.
The result is that, while the withdrawals do need to wait 7 days, they aren't actually subject to any challenge mechanism, which removes all ORU security guarantees.
sherlock-admin
commented
1 year ago Escalate for 250 USDC
It appears this report was misunderstood by the judges. Here is the response:
Description: Legacy withdrawals can be immediately finalized after migration, even if they are less than 7 days old
Reason: This is not true. Rather legacy withdrawals will be subject to a 7 day finalization window even if they are more than 7 days old.
That description is not what the report is saying. We understand that all withdrawals are subject to a full additional 7 days after the migration.
The issue is that, during those 7 days, there is no way to challenge them. Since all nodes must follow the sequencer through the migration process to arrive at the post-Bedrock state, there is no long any way invalidate state transitions that happened pre-Bedrock.
The result is that, while the withdrawals do need to wait 7 days, they aren't actually subject to any challenge mechanism, which removes all ORU security guarantees.
You've created a valid escalation for 250 USDC!
To remove the escalation from consideration: Delete your comment. To change the amount you've staked on this escalation: Edit your comment (do not create a new comment).
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Evert0x
commented
1 year ago Escalation rejected as lack of challenge mechanism is described here https://community.optimism.io/docs/security-model/optimism-security-model/#does-optimism-have-fault-proofs
For reference this page was already there before the contest started https://web.archive.org/web/20230121195040/https://community.optimism.io/docs/security-model/optimism-security-model/
sherlock-admin
commented
1 year ago Escalation rejected as lack of challenge mechanism is described here https://community.optimism.io/docs/security-model/optimism-security-model/#does-optimism-have-fault-proofs
For reference this page was already there before the contest started https://web.archive.org/web/20230121195040/https://community.optimism.io/docs/security-model/optimism-security-model/
This issue's escalations have been rejected!
Watsons who escalated this issue will have their escalation amount deducted from their next payout.
obront
medium
Withdrawals in the 7 days prior to migration are immune to challenges, disabling the key defense mechanism of ORU
Summary
The Bedrock migration involves implementing a new Genesis state, after which challenges for the pre-Bedrock period are not possible. Withdrawals that happen within 7 days of the migration will be saved in the new state, and therefore skip the necessary fraud proof period needed to keep an ORU secure.
Vulnerability Detail
During migration, the sequencer performs state-surgery on the L2 state. It rewrites withdrawal data (including withdrawals triggered in the past 7 days) to a new format and resets the withdrawal window. From this point, all withdrawals proceed using the Bedrock method.
It can be observed that post Bedrock, all withdrawals of the past 7 days are no longer subject to fraud-proofs, disarming the key defensive component of the optimistic rollup. Users in effect are completely subject to the sequencer contrary to the way Optimism is presented.
Impact
Key defense mechanism of the Optimistic rollup is compromised during migration. Note that malicious sequencer is defined as in scope in the contest details page.
Code Snippet
https://github.com/ethereum-optimism/optimism/blob/407f97b9d13448b766624995ec824d3059d4d4f6/op-chain-ops/genesis/db_migration.go#L37
Tool used
Manual Review
Recommendation
Disable withdrawals 7 days before migration.