0xdeadbeef - Malicious actor cause rebase to an old inflation multiplier

[sherlock-admin]

0xdeadbeef

high

Malicious actor cause rebase to an old inflation multiplier

Summary

The protocol has a rebasing mechanism that allows to sync the inflation multiplier between both L1 and L2 chains.
The call to rebase is permissionless (anyone can trigger it).
Insufficant checks allow a malicious actor to rebase to an old value.

Vulnerability Detail

Rebasing from L1 to L2 is through the L1ECOBridge rebase function. It collects the inflation multiplier from the ECO token and sends a message to L2ECOBridge to update the L2 ECO token inflation multiplier.
https://github.com/sherlock-audit/2023-05-ecoprotocol/blob/main/op-eco/contracts/bridge/L1ECOBridge.sol#L296

    function rebase(uint32 _l2Gas) external {
        inflationMultiplier = IECO(l1Eco).getPastLinearInflation(
            block.number
        );

        bytes memory message = abi.encodeWithSelector(
            IL2ECOBridge.rebase.selector,
            inflationMultiplier
        );

        sendCrossDomainMessage(l2TokenBridge, _l2Gas, message);
    }

A malicious actor can call this function a large amount of times to queue messages on L2CrossDomainMessenger.
Since it is expensive to execute so much messages from L2CrossDomainMessenger (especially if the malicious actor sets _l2Gas to a high value) there will be a rebase message that will not be relayed through L2CrossDomainMessenger (or in failedMessages array).

Some time passes and other legitimate rebase transactions get executed.

One day the malicious actor can execute one of his old rebase messages and set the value to the old value. The attacker will debalance the scales between L1 and L2 and can profit from it.

Impact

debalance the scales between L1 and L2 ECO token

Code Snippet

Tool used

Manual Review

Recommendation

When sending a rebase from L1, include in the message the L1 block number. In L2 rebase, validate that the new rebase block number is above previous block number

[albertnbrown]

This is legitimate because unlike upgrade functions, the rebase function has no auth guards. We have added fixes to this to this PR:

eco-association/op-eco#33

[0xdeadbeef0x]

Escalate for 10 USDC

Escalating to verify that this gets the the reward tag as it was confirmed and fixed by the sponsor.

[sherlock-admin]

Escalate for 10 USDC

Escalating to verify that this gets the the reward tag as it was confirmed and fixed by the sponsor.

You've created a valid escalation for 10 USDC!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

[hrishibhat]

Escalation accepted

Valid high

[sherlock-admin]

Escalation accepted

Valid high

This issue's escalations have been accepted!

Contestants' payouts and scores will be updated according to the changes made on this issue.

[0xffff11]

Added fix in: eco-association/op-eco#33

[0xffff11]

Fix confirmed, added block number to L1 calls to prevent any replay attacks using failed cross-bridge calls