Whatever the resolveData is, the bytes length is used to calculate the resolution cost which also determines the reward of the resolver. This function can easily be exploited by any user to consistently resolve challenges with long bytes invalid data and earn rewards.
Root Cause
No validation of the users-defined input data (resolveData) is done in 'DataAvailabilityChallenge:: resolve' function.
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
Call 'DataAvailabilityChallenge:: resolve' function with any input for bytes calldata resolveData parameter.
Impact
All challenges will be resolved with long invalid data by any user so all the lockedbond will be sent to the user (resolver)
PoC
No response
Mitigation
Validate the content of the user input resolveData in 'DataAvailabilityChallenge:: resolve' function.
SyncCode2017
High
No validation of resolveData allowing an attacker to resolve challenges with invalid data and earn locked funds.
Summary
No validation of the users-defined input data (resolveData) is done in 'DataAvailabilityChallenge:: resolve' function as shown below.
https://github.com/sherlock-audit/2024-08-tokamak-network/blob/main/tokamak-thanos/packages/contracts-bedrock/src/L1/DataAvailabilityChallenge.sol#L335C4-L371C6
Whatever the resolveData is, the bytes length is used to calculate the resolution cost which also determines the reward of the resolver. This function can easily be exploited by any user to consistently resolve challenges with long bytes invalid data and earn rewards.
Root Cause
No validation of the users-defined input data (resolveData) is done in 'DataAvailabilityChallenge:: resolve' function.
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
Call 'DataAvailabilityChallenge:: resolve' function with any input for bytes calldata resolveData parameter.
Impact
All challenges will be resolved with long invalid data by any user so all the lockedbond will be sent to the user (resolver)
PoC
No response
Mitigation
Validate the content of the user input resolveData in 'DataAvailabilityChallenge:: resolve' function.