search

sherlock-audit / 2024-02-optimism-2024-judging

6 stars 4 forks source link

lemonmon - `OptimismPortal2` not initialized `respectedGameTypeUpdatedAt` will allow games created before the upgrade #171

Closed sherlock-admin3 closed 6 months ago

sherlock-admin3 commented 7 months ago

lemonmon

medium

OptimismPortal2 not initialized respectedGameTypeUpdatedAt will allow games created before the upgrade

Summary

The OptimismPortal2 uses the respectedGameTypeUpdatedAt to prevent games created before the gameType is respected. The respectedGameTypeUpdateAt will be set to the timestamp when setRespectedGameType is called. However, the default gametype is zero (CANNON), so before the guardian can set via setRespectedGameType, a malicious actor can use a game created at any time in the past.

Vulnerability Detail

The OptimismPortal2::initialize function does not set the respected game type and the respectedGameTypeUpdatedAt.

https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/L1/OptimismPortal2.sol#L147-L162

It will result in default value (zero) for both respectedGameTypeUpdatedAt and respectedGameType. The default GameType zero is CANNON.

// Add to the OptimismPortal2_Test
    function test_not_initialized_respectedGameTypeUpdatedAt() external {
        uint64 updatedAt = optimismPortal2.respectedGameTypeUpdatedAt();
        assertEq(updatedAt, 0);
    }

https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/libraries/DisputeTypes.sol#L104

As the result, users can use the CANNON game to prove their withdrawals as soon as the OptimismPortal2 is deployed.

But, per the comment in the checkWithwal function, the respectedGameTypeUpdatedAt is set to prevent using games deployed before the guardian is watching.

Since it is still set to zero, the checkWithdrawal will allow any game to be used.

https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/L1/OptimismPortal2.sol#L502-L507

For whatever reason, (for example testing), if the factory and game contracts are deployed before the upgrade of the OptimismPortal2, it may be a problem, since it may allow invalid withdraw to finalized.

Impact

The unset respectedGameTypeUpdatedAt may let games deployed at any time can be used, therefore may result in finalizing invalid withdrwal

Code Snippet

https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/L1/OptimismPortal2.sol#L147-L162

https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/libraries/DisputeTypes.sol#L104

https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/L1/OptimismPortal2.sol#L502-L507

Tool used

Manual Review

Recommendation

Consider setting the GameType and respectedGameTypeUpdatedAt at the initialize function

Duplicate of #85

sherlock-admin2 commented 5 months ago

The protocol team fixed this issue in the following PRs/commits: https://github.com/ethereum-optimism/optimism/pull/10198