Unauthorized Fund Transfers via Manipulated Metadata in finalizeWithdrawalTransactionExternalProof
Summary
A critical vulnerability exists in the finalizeWithdrawalTransactionExternalProof function of the OptimismPortal2.sol contract that allows malicious actors to manipulate withdrawal transactions by altering key transaction metadata, specifically the target address. This vulnerability enables an attacker to reroute funds intended for legitimate users to an address controlled by the attacker, resulting in unauthorized withdrawal finalizations and potential theft of user funds.
The vulnerability arises because finalizeWithdrawalTransactionExternalProof does not adequately validate the source of the transaction or the legitimacy of the target address within the transaction metadata. This lack of validation allows an attacker, such as Bob, to alter the metadata of a legitimate user’s (Alice’s) withdrawal transaction and set the target address to an address controlled by the attacker. As a result, the system processes and finalizes the manipulated transaction, falsely marking it as complete and rerouting funds to the attacker's address without proper authorization.
Vulnerability Detail
The finalizeWithdrawalTransactionExternalProof function is responsible for finalizing withdrawal transactions from Layer 2 (L2) to Layer 1 (L1). The function processes a WithdrawalTransaction structure containing details about the withdrawal, including the sender, target address, value, and other related data.
The vulnerability arises because finalizeWithdrawalTransactionExternalProof does not adequately validate the integrity of the transaction metadata, particularly the target address. This absence of validation allows an attacker to intercept and manipulate the transaction data of a legitimate user, altering the target address to one that the attacker controls.
Attack:
The attacker, Bob, observes the blockchain for pending withdrawal transactions, such as Alice’s.
Bob can see Alice’s WithdrawalTransaction details, including the target address where funds should be sent.
Bob creates a modified version of Alice’s transaction, changing the target address to his own (bobControlledAddress) while keeping other details the same.
Bob encodes the manipulated WithdrawalTransaction data within his malicious contract (AttackContract) using the setMetaData() function. This step prepares the manipulated metadata for execution.
Bob calls the attack() function on his AttackContract, which triggers the finalizeWithdrawalTransactionExternalProof function using the manipulated metadata.
Due to the lack of validation in finalizeWithdrawalTransactionExternalProof, the transaction is processed, and the funds are sent to Bob’s address instead of Alice’s.
Impact
The system falsely marks the manipulated transaction as finalized, even though the finalization was not triggered by the legitimate user or an authorized source.
Funds intended for the legitimate user (Alice) are redirected to the attacker’s address, effectively resulting in theft.
Once the transaction is marked as finalized, the legitimate user cannot reattempt the withdrawal, causing permanent loss of access to their funds.
// SPDX-License-Identifier: MIT
pragma solidity 0.8.15;
struct WithdrawalTransaction {
uint256 nonce;
address sender;
address target;
uint256 value;
uint256 gasLimit;
bytes data;
}
interface OptimismPortal2 {
function finalizeWithdrawalTransaction(WithdrawalTransaction memory _tx) external;
}
contract AttackContract {
bytes metaData;
address optimismPortalAddress;
constructor(address _optimismPortal) {
optimismPortalAddress = _optimismPortal;
}
// Function to set the manipulated metadata for the attack
function setMetaData(WithdrawalTransaction memory _tx) public {
metaData = abi.encodeWithSelector(
IOptimismPortal.finalizeWithdrawalTransaction.selector,
_tx
);
}
// Execute the attack using the manipulated metadata
function attack() public {
optimismPortalAddress.call(metaData);
}
}
Tool used
Manual Review
Recommendation
Before finalizing any transaction, ensure that the transaction metadata, including the target address, matches the original details provided by the legitimate user.
Introduce strict validation checks to ensure that finalizeWithdrawalTransactionExternalProof can only be called by authorized addresses, specifically verifying the legitimacy of the call against the original transaction initiator.
ChainPatrol
High
Unauthorized Fund Transfers via Manipulated Metadata in
finalizeWithdrawalTransactionExternalProofSummary
A critical vulnerability exists in the finalizeWithdrawalTransactionExternalProof function of the
OptimismPortal2.solcontract that allows malicious actors to manipulate withdrawal transactions by altering key transaction metadata, specifically thetarget address. This vulnerability enables an attacker to reroute funds intended for legitimate users to an address controlled by the attacker, resulting in unauthorized withdrawal finalizations and potential theft of user funds.The vulnerability arises because
finalizeWithdrawalTransactionExternalProofdoes not adequately validate the source of the transaction or the legitimacy of the target address within the transaction metadata. This lack of validation allows an attacker, such as Bob, to alter the metadata of a legitimate user’s (Alice’s) withdrawal transaction and set the target address to an address controlled by the attacker. As a result, the system processes and finalizes the manipulated transaction, falsely marking it as complete and rerouting funds to the attacker's address without proper authorization.Vulnerability Detail
The
finalizeWithdrawalTransactionExternalProoffunction is responsible for finalizing withdrawal transactions from Layer 2(L2)to Layer 1(L1). The function processes aWithdrawalTransactionstructure containing details about the withdrawal, including the sender,target address, value, and other related data.The vulnerability arises because
finalizeWithdrawalTransactionExternalProofdoes not adequately validate the integrity of the transaction metadata, particularly thetarget address. This absence of validation allows an attacker to intercept and manipulate the transaction data of a legitimate user, altering thetarget addressto one that theattacker controls.Attack:
WithdrawalTransactiondetails, including thetarget addresswhere funds should be sent.target addressto his own(bobControlledAddress)while keeping other details the same.WithdrawalTransactiondata within his malicious contract(AttackContract)using thesetMetaData()function. This step prepares the manipulated metadata for execution.attack()function on hisAttackContract, which triggers thefinalizeWithdrawalTransactionExternalProoffunction using the manipulated metadata.finalizeWithdrawalTransactionExternalProof, the transaction is processed, and the funds are sent toBob’s addressinstead of Alice’s.Impact
(Alice)are redirected to theattacker’s address, effectively resulting in theft.Code Snippet
Tool used
Manual Review
Recommendation