Back to bronze_pickaxe's contests

Arbitrum BoLD - bronze_pickaxe's results

A new dispute protocol that unlocks permissionless validation for Arbitrum chains.

General Information

Platform: Code4rena

Start Date: 10/05/2024

Pot Size: $300,500 USDC

Total HM: 4

Participants: 27

Period: 17 days

Judge: Picodes

Total Solo HM: 1

Id: 375

League: ETH

Arbitrum Foundation

Findings Distribution

Researcher Performance

Rank: 12/27

Findings: 1

Award: $0.00

๐ŸŒŸ Selected for report: 0

๐Ÿš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryArbitrum Foundation

Findings Information

๐ŸŒŸ Selected for report: Sathish9098

Also found by: Audinarey, Dup1337, K42, KupiaSec, LessDupes, Rhaydden, SpicyMeatball, Takarez, ZanyBonzy, bronze_pickaxe, carlitox477, dontonka, forgebyola, fyamf, guhu95, hihen, josephdara, ladboy233, slvDev, twcctop, xuwinnie, zanderbyte

Awards

0 USDC - $0.00

Labels

bug
downgraded by judge
grade-b
QA (Quality Assurance)
sufficient quality report
:robot:_15_group
duplicate-7
Q-01

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/6f861c85b281a29f04daacfe17a2099d7dad5f8f/src/rollup/RollupUserLogic.sol#L82-L89

Vulnerability details

Description

One of the assertions is:

- Honest assertions / layer zero edges are always confirmed under the BoLD paperโ€™s assumptions within 2 challenge periods.
    - plus the security council grace period for assertions

As per the BoLD paper, honest assertions should be confirmed at most ~14 days. However, it is possible to pause the ability to confirm assertions by calling RollupAdminLogic.pause()

    function pause() external override {
        _pause();
        emit OwnerFunctionCalled(3);
    }

If this function gets called, any call made to RollupUserLogic.confirmAssertion() will fail due to the modifier whenNotPaused:

    function confirmAssertion(
        bytes32 assertionHash,
        bytes32 prevAssertionHash,
        AssertionState calldata confirmState,
        bytes32 winningEdgeId,
        ConfigData calldata prevConfig,
        bytes32 inboxAcc
->  ) external onlyValidator whenNotPaused {

This means that there are scenario's possible where an assertion will take longer than the ~14 days described in the BoLD paper, thus breaking this main invariant.

Tools used

Manual Review

Let the time run during a pause() to stop it from breaking the main invariant.

Assessed type

Other

#0 - c4-judge

2024-06-10T17:21:23Z

Picodes changed the severity to QA (Quality Assurance)

#1 - c4-judge

2024-06-10T17:21:29Z

This previously downgraded issue has been upgraded by Picodes

#2 - c4-judge

2024-06-10T17:21:29Z

This previously downgraded issue has been upgraded by Picodes

#3 - c4-judge

2024-06-10T17:21:35Z

Picodes marked the issue as duplicate of #7

#4 - c4-judge

2024-06-10T17:21:41Z

Picodes changed the severity to QA (Quality Assurance)

#5 - c4-judge

2024-06-10T17:24:37Z

Picodes marked the issue as grade-b

#6 - bronzepickaxe

2024-06-11T09:02:54Z

Hi @Picodes,

Finding-55 has been upgraded to a Medium while only showing an invariant been broken.

Finding-55 does not outline a loss for the user, solely a small delay wrt the delay buffer. Can you revisit this finding group in the light of your new judgement? Since this finding group provides an example of an invariant being broken, which has been explicitly mentioned in the README.md.

#7 - Picodes

2024-06-11T15:50:08Z

@bronzepickaxe 55 is about funds being stuck longer than they should, without any admin intervention, so it's not related to this group of reports

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax ยฉ 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter