This repository has been archived by the owner on May 26, 2023. It is now read-only.
rvierdiiev - Relayer can call OptimismPortal.proveWithdrawalTransaction and OptimismPortal.finalizeWithdrawalTransaction for his own withdraw #12
Labels
Duplicate
A valid issue that is a duplicate of an issue with `Has Duplicates` label
Reward
A payout will be made for this issue
Specification
An issue related to the specification (low severity)
Comments
github-actions
bot
added
Duplicate
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
rvierdiiev
low
Relayer can call OptimismPortal.proveWithdrawalTransaction and OptimismPortal.finalizeWithdrawalTransaction for his own withdraw
Summary
Relayer can call OptimismPortal.proveWithdrawalTransaction and OptimismPortal.finalizeWithdrawalTransaction for his own withdraw, however docs says that he should not be able to do that.
Vulnerability Detail
https://github.com/ethereum-optimism/optimism/blob/f30376825c82f62b846590487fe46b7435213d37/specs/withdrawals.md#on-l1
Withdraw documentation states that relayer should not call OptimismPortal.proveWithdrawalTransaction for the withdraws that he created himself.
Also same is said about calls of OptimismPortal.finalizeWithdrawalTransaction.
However there is no such check in both functions, they do not check that caller of function is not initiator of withdrawal on L2.
Impact
Relayer can submit withdrawal tx to OptimismPortal, when he is initiator of withdrawal on L2.
Code Snippet
https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/L1/OptimismPortal.sol#L160-L344
Tool used
Manual Review
Recommendation
State in line with your docs.
Duplicate of #107
The text was updated successfully, but these errors were encountered: