Nois3
low
Denial of Service vulnerability in the 'proveWithdrawalTransaction' function of the Optimism L1ERC721Bridge contract
The proveWithdrawalTransaction function in the L1ERC721Bridge contract is vulnerable to a DoS attack. An attacker can repeatedly call this function with the same withdrawal transaction and different output roots, causing the contract to spend excessive amounts of gas and potentially leading to a blockage of the contract.
The proveWithdrawalTransaction function allows users to prove a withdrawal transaction by providing an output root proof and a withdrawal proof. However, the function does not have any mechanism to prevent an attacker from repeatedly calling the function with the same withdrawal transaction and different output roots. This can cause the contract to spend excessive amounts of gas on redundant computation and potentially lead to a blockage of the contract.
The vulnerable code can be found in the proveWithdrawalTransaction function in the L1ERC721Bridge contract:
function proveWithdrawalTransaction(
Types.WithdrawalTransaction memory _tx,
uint256 _l2OutputIndex,
Types.OutputRootProof calldata _outputRootProof,
bytes[] calldata _withdrawalProof
) external {
// ...
// Verify that the output root can be generated with the elements in the proof.
require(
outputRoot == Hashing.hashOutputRootProof(_outputRootProof),
"OptimismPortal: invalid output root proof"
);
// ...
}Manual Review
To prevent this vulnerability, the proveWithdrawalTransaction function should have a mechanism to prevent an attacker from repeatedly calling the function with the same withdrawal transaction and different output roots. This could be achieved by adding a mapping of withdrawal transactions to output roots and checking if the provided output root matches the one previously stored before performing further computations. Additionally, the function should check if the provided output root is valid before performing any computation.