sherlock-audit / 2024-02-optimism-2024-judging

6 stars 4 forks source link

discrepency b/w natspec comment & code in prove method #246

Closed sherlock-admin3 closed 6 months ago

sherlock-admin3 commented 7 months ago

discrepency b/w natspec comment & code in prove method

Low/Info issue submitted by Shield

Summary

discrepency b/w natspec comment & code in prove method

Vulnerability Detail

The natspec comments in the proveWithdrawalTransaction function states the following :

    // We generally want to prevent users from proving the same withdrawal multiple times
    // because each successive proof will update the timestamp.

But the same withdrawal can be proven multiple times if the following condition occurs:

I. If the user keeps on proving the same withdrawal against blacklisted dispute games and then final proving would be against a valid dispute game. Then the same withdrawal can be proven multiple times.

II. After the initial approval of a withdrawal the respectedGameType changes. Then the oldGame.gameType().raw() != respectedGameType.raw() becomes true for the already proven withdrawal which enables the same withdrawal to be proved again.

Impact

the wrong natspec comments impacts the readability of the code

Code Snippet

https://github.com/sherlock-audit/2024-02-optimism-2024/blob/main/optimism/packages/contracts-bedrock/src/L1/OptimismPortal2.sol#L280

Tool used

Manual Review

Recommendation

update the natspec comment

sherlock-admin4 commented 6 months ago

The protocol team fixed this issue in the following PRs/commits: https://github.com/ethereum-optimism/optimism/pull/10154