search

sherlock-audit / 2024-02-optimism-2024-judging

6 stars 4 forks source link

FonDevs - `respectedGameType` is set in the constructor and not in the initializer function #183

Closed sherlock-admin3 closed 7 months ago

sherlock-admin3 commented 7 months ago

FonDevs

medium

respectedGameType is set in the constructor and not in the initializer function

https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/L1/OptimismPortal2.sol#L127C11-L162C6

Summary

the GameType public respectedGameType variable in the OptimismPortal2.sol is set in the constructor, because it is a base contract that will be deployed behind a proxy, the proxy might have another value stored in the respectedGameType slot, or it might be empty.

Vulnerability Detail

because of this, the value the deployer expects will be the respectedGameType will be different because it is set in the base contract and not in the proxy contract.

Impact

if the GameType at the respectedGameType` slot is vulnerable, an attacker can use that to target portals before this value is reset.

Code Snippet

Tool used

Manual Review.

Recommendation

set the GameType respectedGameType in the function initialize instead of the constructor.

Duplicate of #88

sherlock-admin2 commented 6 months ago

The protocol team fixed this issue in the following PRs/commits: https://github.com/ethereum-optimism/optimism/pull/10198