Skip to content

Latest commit

 

History

History
70 lines (45 loc) · 3.12 KB

028.md

File metadata and controls

70 lines (45 loc) · 3.12 KB
Raw

Swift Burgundy Iguana

Medium

Revert request will occupy the challenge window.

Summary

Revert request will occupy the challenge window.

There is a certain time interval from the initiation of the revert request to the actual execution of the revert by the owner, during which challenges cannot be made. This makes batches that could have been challenged unable to be challenged during this period, rendering part of the challenge window ineffective.

Root Cause

When the challenge is successful, the revertReqIndex will be recorded, and then the owner will execute revertBatch to eliminate this record.

https://github.com/sherlock-audit/2024-08-morphl2/blob/main/morph/contracts/contracts/l1/rollup/Rollup.sol#L701-L702

    function _challengerWin(uint256 batchIndex, uint256 sequencersBitmap, string memory _type) internal {
        revertReqIndex = batchIndex;

https://github.com/sherlock-audit/2024-08-morphl2/blob/main/morph/contracts/contracts/l1/rollup/Rollup.sol#L351-L353

            if (revertReqIndex > 0 && _batchIndex == revertReqIndex) {
                revertReqIndex = 0;
            }

When revertReqIndex is present, challenges to other batches cannot be initiated.

https://github.com/sherlock-audit/2024-08-morphl2/blob/main/morph/contracts/contracts/l1/rollup/Rollup.sol#L367

    function challengeState(uint64 batchIndex) external payable onlyChallenger nonReqRevert whenNotPaused {

There is a certain time interval from the initiation of the revert request to the actual execution of the revert by the owner, during which challenges cannot be made. This makes batches that could have been challenged unable to be challenged during this period, rendering part of the challenge window ineffective.

For example:

  1. Suppose the lastFinalizedIndex is 1, and then the committed batch indices are 2, 3, 4, 5.
  2. The batch with index 3 is successfully challenged, and assume the owner executes revertBatch after 10 blocks, reverting batches 3-5.
  3. During these 10 blocks, the batch with index 2, although not finalized, cannot be challenged, i.e., the time it can be challenged is reduced by 10 blocks.
  4. The reduction in time ultimately available for challenges diminishes the security of the protocol.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

  1. Suppose the lastFinalizedIndex is 1, and then the committed batch indices are 2, 3, 4, 5.
  2. The batch with index 3 is successfully challenged, and assume the owner executes revertBatch after 10 blocks, reverting batches 3-5.
  3. During these 10 blocks, the batch with index 2, although not finalized, cannot be challenged, i.e., the time it can be challenged is reduced by 10 blocks.
  4. The reduction in time ultimately available for challenges diminishes the security of the protocol.

Impact

The time that a batch can be challenged is reduced, decreasing the security of the protocol.

PoC

No response

Mitigation

Record the time from the initiation of the request to execution, and extend the finalize time of all unfinalized items accordingly in revertBatch.