No way to unblacklist DisputeGame in OptimismPortal2 which may cause withdrawal by users of that DisputeGame to be permanently locked.
Low/Info issue submitted by forgebyola
Summary
There is no way to unblacklist a DisputeGame blacklisted by the Guardian in OptimismPortal2, this would permanently disable withdrawals for participants of that game.
Vulnerability Detail
DisputeGames can be blacklisted by the Guardian for reasons such as faulty resolution in OptimismPortal2.blacklistDisputeGame. When users need to finalize a withdrawal after proving the tx, the user calls OptimismPortal2.finalizeWithdrawalTransactionExternalProof which checks that the DisputeGame is not blacklisted.
function checkWithdrawal(bytes32 _withdrawalHash, address _proofSubmitter) public view {
ProvenWithdrawal memory provenWithdrawal = provenWithdrawals[_withdrawalHash][_proofSubmitter];
IDisputeGame disputeGameProxy = provenWithdrawal.disputeGameProxy;
// The dispute game must not be blacklisted.
@> require(!disputeGameBlacklist[disputeGameProxy], "OptimismPortal: dispute game has been blacklisted");
-------------------------------------
It is expected that if a DisputeGame is blacklisted, there is a good reason. However, for legit users of that game with legit withdrawals which need to be carried out, they would never be able to do this once the game is blacklisted.
Impact
Legit victims of a faulty DisputeGame would never be able to carry out withdrawals from that game and may lead to permanent loss of funds for victims.
If a game has been blacklisted by the Guardian due to malicious activity or incorrect resolution, participants in that game would not be able to finalize any withdrawals from that game permanently.
Tool used
Manual Review
Recommendation
It is recommended that there is a way for the guardian to unblacklist a game following previous blacklist. This would be preceded by appropriate criteria for unblacklisting. This would prevent grief to legit users and victims.
No way to unblacklist DisputeGame in
OptimismPortal2which may cause withdrawal by users of that DisputeGame to be permanently locked.Low/Info issue submitted by forgebyola
Summary
There is no way to unblacklist a DisputeGame blacklisted by the
GuardianinOptimismPortal2, this would permanently disable withdrawals for participants of that game.Vulnerability Detail
DisputeGames can be blacklisted by the Guardian for reasons such as faulty resolution in
OptimismPortal2.blacklistDisputeGame. When users need to finalize a withdrawal after proving the tx, the user callsOptimismPortal2.finalizeWithdrawalTransactionExternalProofwhich checks that the DisputeGame is not blacklisted.It is expected that if a DisputeGame is blacklisted, there is a good reason. However, for legit users of that game with legit withdrawals which need to be carried out, they would never be able to do this once the game is blacklisted.
Impact
Legit victims of a faulty DisputeGame would never be able to carry out withdrawals from that game and may lead to permanent loss of funds for victims.
Code Snippet
https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/L1/OptimismPortal2.sol#L440-L443
https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/L1/OptimismPortal2.sol#L463
Proof of Concept
If a game has been blacklisted by the Guardian due to malicious activity or incorrect resolution, participants in that game would not be able to finalize any withdrawals from that game permanently.
Tool used
Manual Review
Recommendation