CodeWasp - Non-upgradable Guardian will render the system inoperable in case of compromise

[sherlock-admin4]

CodeWasp

high

Non-upgradable Guardian will render the system inoperable in case of compromise

Summary

According to the contest README, the Guardian role is RESTRICTED (explicitly not TRUSTED), thus it may be compromised. Nevertheless, current contract setup doesn't allow to replace the Guardian, leaving the system vulnerable to arbitrary actions (in particular DoS) in case of a compromise.

Vulnerability Detail

In the current system setup:

• OptimismPortal2 contract is non-upgradable. This contract is the the backbone of the Optimism L1 contracts.
• SuperchainConfig contract is also non-upgradable. OptimismPortal2 crucially depends on this contract to supply the guardian, who can pause/unpause the system.

The core functions in OptimismPortal2 - proveWithdrawalTransaction, finalizeWithdrawalTransaction, finalizeWithdrawalTransactionExternalProof - have the whenNotPaused modifier, which will prevent them from executing when the system is paused by the Guardian. In case of the Guardian compromise, OptimismPortal2 will become non-operational.

Impact

In case of the RESTRICTED Guardian role compromise, OptimismPortal2 becomes non-operational due to the missing upgradability of the OptimismPortal2 and SuperchainConfig contracts.

Code Snippet

• https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/L1/OptimismPortal2.sol#L242-L250
• https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/L1/OptimismPortal2.sol#L329
• https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/L1/OptimismPortal2.sol#L336-L342

Tool used

Manual Review

Recommendation

We recommend to add upgradability to the SuperchainConfig contract, in the same way it's implemented for the SystemConfig contract.

Duplicate of #80