sherlock-audit 2023-03-optimism-judging issues

sherlock-audit / 2023-03-optimism-judging

7 stars 0 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

0xdeadbeef - InvalidMessage can cause migration to halt

#112 sherlock-admin closed 1 year ago
6
prapandey031 - Delegate call to the initiateWithdrawal() function of the L2ToL1MessagePasser.sol would result in positive msg.value without sending any real value

#111 sherlock-admin closed 1 year ago
0
prapandey031 - Replay of L2ToL1 Messages due to absence of check for sent messages and overflow of msgNonce in the initiateWithdrawal() function of the L2ToL1MessagePasser.sol

#110 sherlock-admin closed 1 year ago
2
obront - Reduced performance when `l1Blocks` in BatchQueue is empty due to wrong CriticalError emission

#109 sherlock-admin closed 1 year ago
2
prapandey031 - Delegate call to the depositTransaction() function of the OptimismPortal.sol would result in high msg.value without sending any real value

#108 sherlock-admin closed 1 year ago
0
obront - Optimism node is susceptible to Gossip-related attacks due to a bug in handling its configuration

#107 sherlock-admin closed 1 year ago
7
prapandey031 - The check "msg.sender != tx.origin" in the depositTransaction() of the OptimismPortal.sol can be broken

#106 sherlock-admin closed 1 year ago
2
obront - Incorrect validation checks will allow data corruption in derivation pipeline

#105 sherlock-admin closed 1 year ago
2
unforgiven - cross domain messages with big calldata would be not-relay-able because baseGas() overestimate the intrinsic gas

#104 sherlock-admin closed 1 year ago
3
prapandey031 - Address aliasing can result in L2 accounts already having ETH or address(0) while depositing L1 to L2

#103 sherlock-admin closed 1 year ago
2
obront - Interaction with OptimismPortal implementation will result in loss of funds

#102 sherlock-admin closed 1 year ago
3
obront - LES transactions are not sent to the sequencer

#101 sherlock-admin closed 1 year ago
2
obront - Wrong _minGasLimit sent from Bridge to Cross Domain Messenger

#100 sherlock-admin closed 1 year ago
6
obront - Reentrancy in Cross Domain Messenger can cause permanent loss of funds

#99 sherlock-admin closed 1 year ago
1
obront - Migration can brick high gas transactions due to delivery cost exceeding block gas limit

#98 sherlock-admin closed 1 year ago
6
unforgiven - valid old withdrawals with more than 25M intrinsic gas can be DOSed by attacker after migration because code cap gasLimit at 25M

#97 sherlock-admin closed 1 year ago
2
obront - CrossDomainMessenger does not successfully guarantee replayability, can lose user funds

#96 sherlock-admin opened 1 year ago
7
prapandey031 - No whenNotPaused() modifier in the depositTransaction() function in OptimismPortal.sol

#95 sherlock-admin closed 1 year ago
0
Koolex - Withdrawals initiation targeting **OptimismPortal** is allowed although finalizing it is not

#94 sherlock-admin closed 1 year ago
0
obront - All migrated withdrarwals that require more than 135,175 gas may be bricked

#93 sherlock-admin opened 1 year ago
8
Jeiwan - `CrossDomainMessenger` over-estimates the gas required to pass cross-chain messages and contradicts the intrinsic gas calculation, forcing users to pay more

#92 sherlock-admin closed 1 year ago
6
obront - Submission interval is unreasonably restricted, bricking migration process or immutably setting incorrect params

#91 sherlock-admin closed 1 year ago
2
obront - Migrated withdrawals requiring over 25mm gas will be bricked

#90 sherlock-admin closed 1 year ago
0
obront - Setting `baseFeeMaxChangeDenominator` to 1 will break all deposits

#89 sherlock-admin closed 1 year ago
6
Jeiwan - Gas usage of cross-chain messages is undercounted, causing discrepancy between L1 and L2 and impacting intrinsic gas calculation

#88 sherlock-admin opened 1 year ago
5
Jeiwan - Legacy withdrawals can be relayed twice, causing double spending of bridged assets

#87 sherlock-admin opened 1 year ago
1
unforgiven - Invalid L2 sender in CrossDomainMessenger

#86 sherlock-admin closed 1 year ago
0
Koolex - Possible loss of funds if the minimum gas limit is set too high on deposit

#85 sherlock-admin closed 1 year ago
7
unforgiven - DOS and griefing the sequencer by bridging large data deposits from L1 to L2 with low gas

#84 sherlock-admin closed 1 year ago
0
8olidity - use safetransferFrom()

#83 sherlock-admin closed 1 year ago
0
Koolex - L2 block gas limit can be set too high which has critical impact

#82 sherlock-admin closed 1 year ago
6
Koolex - Legacy messages that are already relayed can still be finalized

#81 sherlock-admin closed 1 year ago
6
Koolex - Possible loss of funds in case extra ether sent to **OptimismPortal** for old withdrawals

#80 sherlock-admin closed 1 year ago
2
Koolex - LES Issue#175 from the previous contest isn't fixed.

#79 sherlock-admin closed 1 year ago
4
Koolex - Stuck funds can not be recovered although possible loss of funds is likely especially for a custom developed messengers

#78 sherlock-admin closed 1 year ago
2
Koolex - Estimating gas required to relay the message on both L1 and L2 is incorrect

#77 sherlock-admin closed 1 year ago
10
OCC - Lack of access control mechanism

#76 sherlock-admin closed 1 year ago
0
HE1M - Missing `onlyEOA` in `OptimismPortal` and `L2ToL1MessagePasser`

#75 sherlock-admin closed 1 year ago
2
XDZIBEC - Vulnerability in OVM_DeployerWhitelist contracts

#74 sherlock-admin closed 1 year ago
0
rvierdiiev - User can be temporary blocked to prove his transaction after removal of output from L2OutputOracle

#73 sherlock-admin closed 1 year ago
6
rvierdiiev - Proposer can provide output without _l1BlockHash which will make output to be invalid in case of l1 reorg

#72 sherlock-admin closed 1 year ago
2
Koolex - `finalizeWithdrawalTransaction` transaction will not be processed if the minimum gas is set too high

#71 sherlock-admin closed 1 year ago
4
Koolex - Initiating withdrawals on L2 is always open (not pausable) which has a non-trivial impact

#70 sherlock-admin closed 1 year ago
6
Koolex - Big withdrawals can not be halted in case of an emerging issue

#69 sherlock-admin closed 1 year ago
1
Koolex - Deleting output proposals can not be paused by any role which could possibly lead to critical impact

#68 sherlock-admin closed 1 year ago
8
0xdeadbeef - Malicious actor can prevent migration by calling a non-existing function in `OVM_L2ToL1MessagePasser` and making `ReadWitnessData` return an error

#67 sherlock-admin opened 1 year ago
2
Barichek - Withdrawal transactions may temporarily get stuck if the output root is reproposed

#66 sherlock-admin closed 1 year ago
2
HE1M - Messing up `from` or `sender` address on the receiver chain

#65 sherlock-admin closed 1 year ago
2
OCC - getL1GasUsed() function may not accurately calculate the gas used for a transaction

#64 sherlock-admin closed 1 year ago
0
OCC - Risk of Integer Overflow in L1 Fee Calculation

#63 sherlock-admin closed 1 year ago
0