search

sherlock-audit / 2024-02-optimism-2024-judging

6 stars 4 forks source link

bareli - wrong calculation of required bond in "getRequiredBond" #215

Closed sherlock-admin2 closed 7 months ago

sherlock-admin2 commented 7 months ago

bareli

medium

wrong calculation of required bond in "getRequiredBond"

Summary

we are calculating the wrong rawGas calculation. it will increase our requiredBond_ by FixedPointMathLib.WAD).

Vulnerability Detail

int256 rawGas = FixedPointMathLib.powWad(base, int256(depth * FixedPointMathLib.WAD));

function getRequiredBond(Position _position) public view returns (uint256 requiredBond_) {
    uint256 depth = uint256(_position.depth());
    if (depth > MAX_GAME_DEPTH) revert GameDepthExceeded();

    // Values taken from Big Bonds v1.5 (TM) spec.
    uint256 assumedBaseFee = 200 gwei;
    uint256 baseGasCharged = 400_000;
    uint256 highGasCharged = 200_000_000;

    // Goal here is to compute the fixed multiplier that will be applied to the base gas
    // charged to get the required gas amount for the given depth. We apply this multiplier
    // some `n` times where `n` is the depth of the position. We are looking for some number
    // that, when multiplied by itself `MAX_GAME_DEPTH` times and then multiplied by the base
    // gas charged, will give us the maximum gas that we want to charge.
    // We want to solve for (highGasCharged/baseGasCharged) ** (1/MAX_GAME_DEPTH).
    // We know that a ** (b/c) is equal to e ** (ln(a) * (b/c)).
    // We can compute e ** (ln(a) * (b/c)) quite easily with FixedPointMathLib.

    // Set up a, b, and c.
    uint256 a = highGasCharged / baseGasCharged;
    uint256 b = FixedPointMathLib.WAD;
    uint256 c = MAX_GAME_DEPTH * FixedPointMathLib.WAD;

    // Compute ln(a).
    // slither-disable-next-line divide-before-multiply
    uint256 lnA = uint256(FixedPointMathLib.lnWad(int256(a * FixedPointMathLib.WAD)));

    // Computes (b / c) with full precision using WAD = 1e18.
    uint256 bOverC = FixedPointMathLib.divWad(b, c);

    // Compute e ** (ln(a) * (b/c))
    // sMulWad can be used here since WAD = 1e18 maintains the same precision.
    uint256 numerator = FixedPointMathLib.mulWad(lnA, bOverC);
    int256 base = FixedPointMathLib.expWad(int256(numerator));

    // Compute the required gas amount.
    int256 rawGas = FixedPointMathLib.powWad(base, int256(depth * FixedPointMathLib.WAD));
    uint256 requiredGas = FixedPointMathLib.mulWad(baseGasCharged, uint256(rawGas));

    // Compute the required bond.
    requiredBond_ = assumedBaseFee * requiredGas;
}

Impact

rawGas will be calculated more by a factor of FixedPointMathLib.WAD.

Code Snippet

https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/dispute/FaultDisputeGame.sol#L621

Tool used

Manual Review

Recommendation

int256 rawGas = FixedPointMathLib.powWad(base, int256(depth));

nevillehuang commented 7 months ago

Invalid, computation correct to maintain 18 decimal precision