Closed sherlock-admin closed 8 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid because {invalid: watson should provide a POC}
Disputing until there is a valid PoC, this is a potential high-severity issue and is covered under our "forgery of proofs" scope.
I'm closing this issue for now. If Watson wants he can escalate and provide a POC
vvv
medium
Proofs for verifyBridgeLeaf and verifyBlobLeaf methods can be swapped by specifyng crafted blobRoot and bridgeRoot in _checkDataRoot
Summary
Proofs for
verifyBridgeLeaf
andverifyBlobLeaf
methods can be swapped by specifyng craftedinput.blobRoot
andinput.bridgeRoot
in_checkDataRoot
method. We can use any pair of (Merkle tree vertex, proof) from given proofs ininput
as (input.blobRoot
,input.bridgeRoot
) in_checkDataRoot
method and still have the correct proof for the leaf. By selecting the specific Merkle tree vertex (with left proof or right proof) we are able to setinput.blobRoot
andinput.bridgeRoot
in a way that leads to choosing wrong root inverifyBridgeLeaf
orverifyBlobLeaf
methods. However, it doens't lead to contract attack, because leafs in this contract can be onlykeccak256(keccak256(blob))
orkeccak256(message)
and cannot be swapped.Vulnerability Detail
_checkDataRoot
method verifies thatkeccak256(abi.encode(input.blobRoot, input.bridgeRoot))
exists in the Merkle tree, however this structure of leaf is similar to any intermidiate vertex structurekeccak256(leaf . proof(i))
. And by specifyingblobRoot
andbridgeRoot
asleaf
andproof(i)
for any given proof ininput
(even from proof for the leaf, not for the dataRoot) we can still have the valid proof for dataRoot and leaf. By selecting the specific Merkle tree vertices with left proof or right proof we can interchange proofs forverifyBridgeLeaf
andverifyBlobLeaf
methods. To put it simply, we can callverifyBridgeLeaf
orverifyBlobLeaf
with valid proof, but with the wrong type of leaf:blob
forverifyBridgeLeaf
andmessage
forverifyBlobLeaf
. But this scenario doesn't lead to direct contract attack, asblob
is stored askeccak256(keccak256(blob)
andmessage
askeccak256(message)
, so we can't craft anyblob
ormeesage
that fits the specified hash.Impact
Possible attack on leafs in the Merkle tree. Message can be interpretead as blob, and vice versa.
Code Snippet
https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L490-L491
https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/lib/Merkle.sol#L29-L33
Tool used
Manual Review
Recommendation
Change the leaf structure in
_checkDataRoot
, for example add more data to it.keccak256(abi.encode(input.blobRoot, input.bridgeRoot))
->keccak256(abi.encode(<constant>, input.blobRoot, input.bridgeRoot))