With the help of governance platforms, such as snapshot.org and aragon.org, thousands of standard ERC20 tokens are working as governance tokens. If these tokens were set as NativeTokens, the current improper implementation of OptimismPortal2 would cause those tokens suffering governance manipulation attack.
Root Cause
(1) In high probability, there would be large amount of NativeToken held by OptimismPortal2
As reference from Optimism and Base, they both have about 1.3 Billion USD worth of NativeToken(ETH in their case) held in OptimismPortal, we can expect large amount of NativeToken would be held by OptimismPortal2 too, as OptimismPortal2 will be the L1 vault for NativeTokens which are being deposited to L2.
(2) For messages sent from L2 to L1, the target can be any contract except NativeToken itself
File: src\L1\OptimismPortal2.sol
356: function finalizeWithdrawalTransactionExternalProof(
357: Types.WithdrawalTransaction memory _tx,
358: address _proofSubmitter
359: )
...
362: {
...
382: require(
383: _tx.target != _nativeTokenAddress, "Optimism Portal: cannot make a direct call to native token contract"
384: );
...
429: }
Internal pre-conditions
Any of these governance token are set as NativeToken
External pre-conditions
N/A
Attack Path
(1) Attack case for governance tokens using snapshot.org platform
We can find there are thousands of projects are using ERC20 balance as voting power (https://snapshot.org/#/?filter=strategies&q=erc20-balance-of), and many of them enabled voting delegation. If any of these tokens are also working as NativeToken, then attackers can send a L2 -> L1 message with snapshot's unified DelegateRegistry contract (link) as target to delegate OptimismPortal2 's huge voting power to some malicious address controlled by attacker.
(2) Attack case for governance tokens using aragon.org framework
Under argon framework, there are separated voting contract instances for each project, let's take the well known Lido project for example https://vote.lido.fi/, the governance token is LDO:0x5A98FcBEA516Cf06857215779Fd812CA3beF1B32 (link: CoinMarketCap), and it's argon voting contract is 0x2e59A20f205bB85a89C53f1936454680651E618e. If LDO was working as NativeToken, then attackers can send a L2 -> L1 message with the argon voting contract as target to delegate OptimismPortal2 's huge voting power to some malicious address by calling assignDelegate()
(3) Though this report doesn't check all governance platforms and frameworks, but there are high chance the other governance frameworks and tokens suffer similar attack vectors
Impact
Widely governance manipulation attack to produce unconstrained damage
PoC
No response
Mitigation
Adding a target blacklist to allow the admin to manage dangerous targets of all kinds, such as
diff --git a/tokamak-thanos/packages/tokamak/contracts-bedrock/src/L1/OptimismPortal2.sol b/tokamak-thanos/packages/tokamak/contracts-bedrock/src/L1/OptimismPortal2.sol
index 8c5af46..679609c 100644
--- a/tokamak-thanos/packages/tokamak/contracts-bedrock/src/L1/OptimismPortal2.sol
+++ b/tokamak-thanos/packages/tokamak/contracts-bedrock/src/L1/OptimismPortal2.sol
@@ -104,6 +104,8 @@ contract OptimismPortal2 is Initializable, ResourceMetering, OnApprove, ISemver
/// @notice Spacer for forwards compatibility.
bytes32 private spacer_61_0_32;
+ mapping(address => bool) targetBlackList;
+
/// @notice Emitted when a transaction is deposited from L1 to L2.
/// The parameters of this event are read by the rollup node and used to derive deposit
/// transactions on L2.
@@ -383,6 +385,9 @@ contract OptimismPortal2 is Initializable, ResourceMetering, OnApprove, ISemver
_tx.target != _nativeTokenAddress, "Optimism Portal: cannot make a direct call to native token contract"
);
+ require(
+ !targetBlackList[_tx.target], "Optimism Portal: cannot make a direct call to blacklist contract"
+ );
// Set the l2Sender so contracts know who triggered this withdrawal on L2.
l2Sender = _tx.sender;
KingNFT
High
Governance manipulation attack on
NativeTokens
Summary
With the help of governance platforms, such as
snapshot.org
andaragon.org
,thousands of standard
ERC20 tokens are working as governance tokens. If these tokens were set asNativeTokens
, the current improper implementation ofOptimismPortal2
would cause those tokens suffering governance manipulation attack.Root Cause
(1) In high probability, there would be large amount of
NativeToken
held byOptimismPortal2
As reference from
Optimism
andBase
, they both have about1.3 Billion
USD worth ofNativeToken
(ETH in their case) held inOptimismPortal
, we can expect large amount ofNativeToken
would be held byOptimismPortal2
too, asOptimismPortal2
will be the L1 vault forNativeTokens
which are being deposited to L2.(2) For messages sent from L2 to L1, the
target
can be any contract exceptNativeToken
itselfShown as L382-384 of
OptimismPortal2.sol
Internal pre-conditions
Any of these governance token are set as
NativeToken
External pre-conditions
N/A
Attack Path
(1) Attack case for governance tokens using
snapshot.org
platformWe can find there are thousands of projects are using ERC20 balance as voting power (https://snapshot.org/#/?filter=strategies&q=erc20-balance-of), and many of them enabled voting delegation. If any of these tokens are also working as
NativeToken
, then attackers can send aL2 -> L1
message withsnapshot
's unifiedDelegateRegistry
contract (link) as target to delegateOptimismPortal2
's huge voting power to some malicious address controlled by attacker.(2) Attack case for governance tokens using
aragon.org
frameworkUnder argon framework, there are separated voting contract instances for each project, let's take the well known
Lido
project for example https://vote.lido.fi/, the governance token is LDO:0x5A98FcBEA516Cf06857215779Fd812CA3beF1B32 (link: CoinMarketCap), and it's argon voting contract is 0x2e59A20f205bB85a89C53f1936454680651E618e. If LDO was working asNativeToken
, then attackers can send aL2 -> L1
message with the argon voting contract as target to delegateOptimismPortal2
's huge voting power to some malicious address by callingassignDelegate()
Or, calling
vote()
to directly vote for some malicious proposal(3) Though this report doesn't check all governance platforms and frameworks, but there are high chance the other governance frameworks and tokens suffer similar attack vectors
Impact
Widely governance manipulation attack to produce unconstrained damage
PoC
No response
Mitigation
Adding a target blacklist to allow the admin to manage dangerous targets of all kinds, such as