Arbitrum BoLD

Arbitrum BoLD audit details

• Total Prize Pool: Up to $300,500 in USDC
  • HM awards: Up to $235,000 in USDC
    • If one or more valid High severity findings are found, the HM pool is $235,000 in USDC
    • If one or more valid Medium severity findings are found, the HM pool is $85,000 in USDC
    • If no valid Highs or Mediums are found, the HM pool is $0 in USDC
  • QA awards: $40,000 in USDC
  • Judge awards: $15,000 in USDC
  • Validator awards: $10,000 in USDC
  • Scout awards: $500 in USDC
• Join C4 Discord to register
• Submit findings using the C4 form
• Read our guidelines for more details
• Starts May 10, 2024 20:00 UTC
• Ends May 27, 2024 20:00 UTC

IMPORTANT NOTE: Prior to receiving payment from this audit you MUST:

1. Become a Certified Contributor (successfully complete KYC)
2. Have an address that supports payout via Arbitrum.

You do not have to become certified before submitting bugs. But you must a) successfully complete the certification process and b) supply a wallet to the C4 team that supports Arbitrum payouts within 30 days of the award announcement in order to receive awards. This applies to all audit participants, including wardens, teams, judges, validators, and scouts.

Automated Findings / Publicly Known Issues

The 4naly3er report can be found here.

Note for C4 wardens: Anything included in this Automated Findings / Publicly Known Issues section is considered a publicly known issue and is ineligible for awards.

• It is always assumed that at least 1 honest validator would be actively participating in the rollup protocol.
• It is known that gas spending are not reimbursed in protocol at the moment, and an adversary can force the honest validators to collectively spend more than the adversary stake due to elevated gas price.
• It is assumed that off-chain computation costs are negligible, and honest validators can react to malicious action broadcasted on-chain immediately in the same block unless the malicious party spend their censorship budget.
• It is assumed that honest validators can collectively stake as much as the attackers willing to spend.
• It is assumed that the stake token would NOT be fee-on-transfer, rebasing, have a transfer hook or otherwise have non-standard ERC20 logics.
• The resolution of challenges that do not involve honest claims are out of scope unless they lead to incorrect assertions being confirmed
• Issues within One Step Proof contracts are out of scope in this contest, but might qualify for our immunefi bug bounty.
• We assume that an adversary can censor transactions for at most 1 challengePeriodBlocks or confirmPeriodBlock (whichever is smaller)
• Compromised keys are out of scope
• Centralization risk is out-of-scope
• Any issues whose root cause exists in nitro-contracts@77ee9de is considered out of scope but may be eligible for our bug bounty.

Overview

Enabling permissionless validation has long been a goal of Arbitrum on the progressive journey towards decentralization. Today, Arbitrum One and Arbitrum Nova rely on a permissioned set of valdiators to prevent delay attacks against the current rollup protocol - a class of attacks where actors can open disputes and delay on-chain confirmations (as long as actors are willing to sacrifice capital to do so).

Arbitrum BoLD is a new dispute protocol that enables permissionless validation by mitigating the risks of delay attacks with a fixed upper time bound for challenge resolution in an all-vs-all format. Specifically, BoLD is an upgrade to the interactive & fully operational fraud proof system that is currently used to secure all Arbitrum chains in production today, including Arbitrum One.

Links

• Previous audits: ToB audit
• Documentation: https://linktr.ee/arbitrumbold
• Website: https://arbitrum.foundation/
• X/Twitter: https://twitter.com/arbitrum
• Discord: https://discord.com/invite/arbitrum

---

Scope

Files in scope

See scope.txt

Files out of scope

See out_of_scope.txt

Scoping Q & A

General questions

External integrations (e.g., Uniswap) behavior in scope:

EIP compliance checklist

N/A

Additional context

Main invariants

• Challenges cannot bypass the grace period, challenges must take at least one challengePeriodBlocks + challengeGracePeriodBlocks
• Assertions cannot be confirmed before confirmPeriodBlocks after creation
• Honest assertions / layer zero edges are always confirmed under the BoLD paper’s assumptions within 2 challenge periods.
  • plus the security council grace period for assertions
• Edge ID’s and Assertion ID’s must be unique

Attack ideas (where to focus for bugs)

• Assuming there is at least one honest participant, no incorrect assertions or edges can be confirmed.
• Honest parties can always retrieve their assertion stakes and challenge bonds
• History commitments and their proofs can’t be manipulated somehow.
• Issues that the security council could fix are still in scope.

All trusted roles in the protocol

Note: there is a “grace period” after assertions are confirmed via challenge. This is to ensure the result of the challenge is widely observable before it causes an assertion to be confirmed. The security council can act within this grace period in the event a bad assertion is confirmed.

Describe any novel or unique curve logic or mathematical models implemented in the contracts:

N/A

Running tests

git clone https://github.com/code-423n4/2024-05-arbitrum-foundation
cd 2024-05-arbitrum-foundation
git submodule update --init --recursive
yarn

forge test 

To run code coverage

# same as above, just for the last command:
forge coverage

Coverage

note that interfaces and contracts without logic (e.g. Error.sol, Config.sol) are excluded

Miscellaneous

Employees of Arbitrum and employees' family members are ineligible to participate in this audit.