Platform: Code4rena
Start Date: 26/05/2023
Pot Size: $100,000 USDC
Total HM: 0
Participants: 33
Period: 14 days
Judge: leastwood
Id: 241
League: ETH
Rank: 29/33
Findings: 1
Award: $813.40
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: rbserver
Also found by: 0x73696d616f, 0xTheC0der, 0xdeadbeef, 0xhacksmithh, Bauchibred, GalloDaSballo, KKat7531, Madalad, MohammedRizwan, Rolezn, SAAJ, SanketKogekar, Sathish9098, VictoryGod, brgltd, btk, codeslide, descharre, hunter_w3b, jauvany, kaveyjoe, ladboy233, nadin, niser93, shealtielanz, souilos, trysam2003, yongskiws
813.4016 USDC - $813.40
https://github.com/ethereum-optimism/optimism/blob/daaf917b201aae021fb10da03ef1262a13e00353/packages/contracts-bedrock/contracts/libraries/Burn.sol#L33-L42 https://github.com/ethereum-optimism/optimism/blob/daaf917b201aae021fb10da03ef1262a13e00353/packages/contracts-bedrock/contracts/L2/L2ToL1MessagePasser.sol#L80-L89
BASE/Optimism attempts to be EVM equivalent.
If EIP-4758 will be implemented in BASE - The mechanism for burning L2 ETH using selfdestruct will not work. This will lead to an inflation of ETH on L2 in regards to L1.
If EIP-4758 will not be implemented in BASE:
Users will need to develop their smart contracts differently then on ethereum as selfdestruct will act differently between the chains. This will break the EVM equivalence.
Please read https://eips.ethereum.org/EIPS/eip-4758 which is on track to be added to ethereum.
In breif, the selfdestruct code will not destroy the state of an account, but will continue to send the funds to the receiver (in this case itself).
L2 L2ToL1MessagePasser has a burn which is used to prevent the amount of ETH on L2 inflating when ETH is withdrawn
https://github.com/ethereum-optimism/optimism/blob/daaf917b201aae021fb10da03ef1262a13e00353/packages/contracts-bedrock/contracts/L2/L2ToL1MessagePasser.sol#L80-L89
* @notice Removes all ETH held by this contract from the state. Used to prevent the amount of * ETH on L2 inflating when ETH is withdrawn. Currently only way to do this is to * create a contract and self-destruct it to itself. Anyone can call this function. Not * incentivized since this function is very cheap. */ function burn() external { uint256 balance = address(this).balance; Burn.eth(balance); emit WithdrawerBalanceBurnt(balance); }
Burn.eth deploys a new contract with the specified ETH. The contract then selfdestructs to itself resulting in the ETH provided to "disappear" because of the deletion.
function eth(uint256 _amount) internal { new Burner{ value: _amount }(); } ---------- /** * @title Burner * @notice Burner self-destructs on creation and sends all ETH to itself, removing all ETH given to * the contract from the circulating supply. Self-destructing is the only way to remove ETH * from the circulating supply. */ contract Burner { constructor() payable { selfdestruct(payable(address(this))); } }
As can be seen from the snippets above, the impact stated the impact section will happen when EIP-4758 will be introduced.
Static analysis
In order to support "deletion" of ETH on L2 to prevent inflation, consider adding a predeploy address that will be treated in op-geth as always having zero balance. Therefore, transferring/calling this address will "delete" the funds.
ETH-Transfer
#0 - c4-judge
2023-06-16T16:11:10Z
0xleastwood marked the issue as primary issue
#1 - c4-judge
2023-06-16T16:11:13Z
0xleastwood marked the issue as satisfactory
#2 - c4-judge
2023-06-16T16:15:33Z
0xleastwood marked the issue as selected for report
#3 - anupsv
2023-06-22T17:11:55Z
EIP not yet implemented. Not a vuln.
#4 - c4-sponsor
2023-06-22T19:52:43Z
anupsv marked the issue as sponsor disputed
#5 - 0xleastwood
2023-06-28T14:12:27Z
Agree that this is assuming the EIP is implemented. Currently, Base protocol is unaffected. Downgrading to low risk.
#6 - c4-judge
2023-06-28T14:12:36Z
0xleastwood changed the severity to QA (Quality Assurance)
#7 - c4-judge
2023-06-28T14:12:42Z
0xleastwood marked the issue as grade-b
#8 - c4-judge
2023-06-28T14:12:46Z
0xleastwood marked the issue as not selected for report