w42d3n - Insufficient input validation in OptimismPortal2.sol

[sherlock-admin3]

w42d3n

medium

Insufficient input validation in OptimismPortal2.sol

Summary

Insufficient input validation

Vulnerability Detail

The constructor of the OptimismPortal2 contract does not validate its arguments.

Impact

This could lead to undesired behavior or potential vulnerabilities depending on how the arguments are used throughout the contract.

Code Snippet

https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/L1/OptimismPortal2.sol#L127-L141

    constructor(
        uint256 _proofMaturityDelaySeconds,
        uint256 _disputeGameFinalityDelaySeconds,
        GameType _initialRespectedGameType
    ) {
        PROOF_MATURITY_DELAY_SECONDS = _proofMaturityDelaySeconds;
        DISPUTE_GAME_FINALITY_DELAY_SECONDS = _disputeGameFinalityDelaySeconds;
        respectedGameType = _initialRespectedGameType;

        initialize({
            _disputeGameFactory: DisputeGameFactory(address(0)),
            _systemConfig: SystemConfig(address(0)),
            _superchainConfig: SuperchainConfig(address(0))
        });
    }

In this case, the constructor does not validate any of these arguments.

Tool used

Manual Review

Recommendation

It is recommended to always validate function arguments, especially in contract constructors. For example:

_proofMaturityDelaySeconds and _disputeGameFinalityDelaySeconds: These should be validated to ensure they are not excessively large (might cause overflows later in calculation) or excessively small (might lead to blocking withdrawals).

_initialRespectedGameType: Ensure that this is a valid game type (if the type GameType has constraints).

_disputeGameFactory, _systemConfig, and _superchainConfig: Ensure that these are not the zero address and are actually the addresses of deployed contracts.

[nevillehuang]

Invalid, admin input error during deployment