Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

csanuragjain - Incorrect owner check #263

Open
github-actions bot opened this issue Feb 20, 2023 · 4 comments
Open

csanuragjain - Incorrect owner check #263

github-actions bot opened this issue Feb 20, 2023 · 4 comments
Labels
Escalation Resolved This issue's escalations have been approved/rejected Reward A payout will be made for this issue Specification An issue related to the specification (low severity)

Comments

@github-actions
Copy link

csanuragjain

low

Incorrect owner check

Summary

The depositTransaction of OptimismPortal can directly be called by user instead of intermediate contract. This means from address wont be aliased. But this is not considered in CrossDomainOwnable contract which plainly undoL1ToL2Alias the caller

Vulnerability Detail

  1. Assume depositTransaction is called by User A directly. Since no intermediary contract so no aliasing is done
  2. On L2 side, if _checkOwner is checked
function _checkOwner() internal view override {
        require(
            owner() == AddressAliasHelper.undoL1ToL2Alias(msg.sender),
            "CrossDomainOwnable: caller is not the owner"
        );
    }
  1. This will try undoL1ToL2Alias on User A address and then match with owner which is incorrect since User A address was never aliased on L1

Impact

The owner check might fail for genuine transaction

Code Snippet

https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/L2/CrossDomainOwnable.sol#L21

Tool used

Manual Review

Recommendation

This check need to be revised. If the transaction came directly from tx.origin (without any intermediary contract) then no need of removing aliasing
@sherlock-admin sherlock-admin added the Non-Reward This issue will not receive a payout label Feb 21, 2023
@csanuragjain
Copy link

csanuragjain commented Feb 22, 2023
edited
Loading

Escalate for 28 USDC

This is mentioning a valid issue where CrossDomainOwnable.sol#L21 is always assuming call to depositTransaction coming from contract (as undo Alias is always done).
If depositTransaction is called by a user instead then CrossDomainOwnable will fail to check properly and not allow a genuine user

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Feb 22, 2023
edited
Loading

Escalate for 28 USDC

This is mentioning a valid issue where CrossDomainOwnable.sol#L21 is always assuming call to depositTransaction coming from contract (as undo Alias is always done).
If depositTransaction is called by a user instead then CrossDomainOwnable will fail to check properly and not allow a genuine user

You've created a valid escalation for 28 USDC!

To remove the escalation from consideration: Delete your comment.
To change the amount you've staked on this escalation: Edit your comment (do not create a new comment).

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

@sherlock-admin sherlock-admin added the Escalated This issue contains a pending escalation label Feb 22, 2023
@Evert0x
Copy link
Contributor

Evert0x commented Mar 2, 2023

Escalation accepted and labeling as specification issue

@Evert0x Evert0x reopened this Mar 2, 2023
@sherlock-admin
Copy link
Contributor

Escalation accepted and labeling as specification issue

This issue's escalations have been accepted!

Contestants' payouts and scores will be updated according to the changes made on this issue.

@sherlock-admin sherlock-admin added Escalation Resolved This issue's escalations have been approved/rejected and removed Escalated This issue contains a pending escalation labels Mar 2, 2023
@Evert0x Evert0x added Specification An issue related to the specification (low severity) Escalation Resolved This issue's escalations have been approved/rejected and removed Escalation Resolved This issue's escalations have been approved/rejected labels Mar 2, 2023
@rcstanciu rcstanciu added Reward A payout will be made for this issue and removed Non-Reward This issue will not receive a payout labels Mar 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Escalation Resolved This issue's escalations have been approved/rejected Reward A payout will be made for this issue Specification An issue related to the specification (low severity)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rcstanciu @csanuragjain @Evert0x @sherlock-admin