DelayedWETH.DELAY_SECONDS could be bypassed by calling resolve a long time after unlocking

Summary

DelayedWETH.DELAY_SECONDS is an airgap that's used to freeze assets incase there's mistake in resolve. But tokens are unlocked before resolve and there's no enforcement in the codebase to resolve immediately after unlock.

Vulnerability Detail

After resolveClaim has been called for all claimIndex, all tokens would be unlocked. However, the game has not resolve unless, resolve is called to change the game status. This could be used to bypass the delay airgap.

PoC

start a game that would resolve in a wrong status
resolveClaim for all claimIndex
wait till DELAY_SECONDS has passed
claimCredit to withdraw ETH
finally resolve the game

Impact

An attacker could bypass the DELAY_SECONDS and claim ETH for a wrongly resolved game.

Code Snippet

https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/dispute/weth/DelayedWETH.sol#L31 https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/dispute/weth/DelayedWETH.sol#L57 https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/dispute/FaultDisputeGame.sol#L704 https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/dispute/FaultDisputeGame.sol#L630-L645 https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/dispute/FaultDisputeGame.sol#L386-L464

Tool used

Manual Review

Recommendation

You could add the airgap to the dispute game and start counting after resolve has been called and status has been updated. Or you could call resolve when resolveClaim for index zero is called.

sherlock-audit / 2024-02-optimism-2024-judging

0x007 - DelayedWETH.DELAY_SECONDS could be bypassed by calling resolve a long time after unlocking #109