search

sherlock-audit / 2024-02-optimism-2024-judging

6 stars 4 forks source link

MiloTruck - Leftmost claim incentives can be abused to steal bonds from honest parties #200

Closed sherlock-admin2 closed 7 months ago

sherlock-admin2 commented 7 months ago

MiloTruck

medium

Leftmost claim incentives can be abused to steal bonds from honest parties

Summary

Due to the leftmost claim incentive, players are incentivized to make an invalid attack to steal bonds from honest players that defend a parent claim.

Vulnerability Detail

When distributing bonds for countered claims, FaultGameDispute.resolveClaim() distributes the bond of the parent claim to the leftmost uncontested child claim:

FaultDisputeGame.sol#L450-L459

            // If the child subgame is uncountered and further left than the current left-most counter,
            // update the parent subgame's `countered` address and the current `leftmostCounter`.
            // The left-most correct counter is preferred in bond payouts in order to discourage attackers
            // from countering invalid subgame roots via an invalid defense position. As such positions
            // cannot be correctly countered.
            // Note that correctly positioned defense, but invalid claimes can still be successfully countered.
            if (claim.counteredBy == address(0) && leftmostCounter.raw() > claim.position.raw()) {
                countered = claim.claimant;
                leftmostCounter = claim.position;
            }

However, such a leftmost mechanism encourages players to make an invalid attack when their opponent's clock has run out.

For example:

As seen from above, an attacker can abuse the leftmost claim incentive to "steal" bonds from honest proposers by making invalid attacks.

Impact

By abusing the leftmost claim incentive, attackers can steal bonds from honest participants in a dispute game, resulting in a loss of funds and broken incentives to play the dispute game correctly.

Note that in this finding, the dispute game does resolve correctly. The impact here is that a correct dispute game resolution can occur with a loss of funds to honest participants, which is not considered out-of-scope by this statement:

Participants should assume that the FaultDisputeGame can resolve incorrectly (i.e.g, can resolve to DEFENDER_WINS when it should resolve to CHALLENGER_WINS or vice versa). Reports that demonstrate an incorrect resolution of the FaultDisputeGame are appreciated but will not be considered valid rewardable findings for this specific contest.

Code Snippet

https://github.com/sherlock-audit/2024-02-optimism-2024/blob/f216b0d3ad08c1a0ead557ea74691aaefd5fd489/optimism/packages/contracts-bedrock/src/dispute/FaultDisputeGame.sol#L450-L459

Tool used

Manual Review

Recommendation

Consider using another method to distribute the bond of countered parent claims.

sherlock-admin4 commented 7 months ago

The protocol team fixed this issue in the following PRs/commits: https://github.com/ethereum-optimism/optimism/pull/10182

nevillehuang commented 7 months ago

Based on scope details below, any issue related to FDG/FDG subgames resolution logic with root cause stemming from FaultDisputeGame contract will be considered OOS of this contest if airgap and/or delayed WETH mechanism implemented for off-chain review of game results and bond distribution is not shown to be bypassed

https://docs.google.com/document/d/1xjvPwAzD2Zxtx8-P6UE69TuoBwtZPbpwf5zBHAvBJBw/edit