Skip to content

(WIP) Feat/replay test upgrade4 #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 17 commits into from
Closed

(WIP) Feat/replay test upgrade4 #6

wants to merge 17 commits into from

Conversation

georgehao
Copy link
Member

No description provided.

zimpha and others added 17 commits June 25, 2024 15:34
@zimpha
feat: add interfaces for v3 codec
0a46ae6
@zimpha
feat: add v3 codec logic
1e45f28
@zimpha
feat: add finalizeBundle
7ba07fe
@zimpha
add unit tests for L1MessageQueue
48eaab0
@zimpha
feat: fork tests for previous mainnet batches
178b902
@zimpha
add more unit tests for ScrollChain
2ac4f3f
@zimpha
feat: fix comments and remove finalizeBatchWithProof from ScrollChain
00796f5
@zimpha
add tests for ZkEvmVerifierV2
bb9ce26
@zimpha
fix: avoid stack too deep while compiling with coverage
12e43c2
@georgehao
finalize from the first curie batch
b25e673
@zimpha
fix: add missing finalize popped meesage in finalizeBundleWithProof
240069d
@georgehao
fix conflict
4ad30a8
@georgehao
add functions
ad2bd4d
@zimpha
fix: correct the numRound passing to plonk verifier
79bc0f9
@georgehao
Merge branch 'feat/codev_v3' of github.com:scroll-tech/scroll-contrac…
dc6ef7c 
…ts into feat/replay-test-upgrade4
@georgehao
set lastFinalizedBatchIndex = _batchIndex;
8818859
@georgehao
fix lastfinalized batch index
7eeedfc
Base automatically changed from feat/codev_v3 to main July 31, 2024 05:03
@georgehao georgehao closed this Feb 18, 2025
dasdsadasca pushed a commit to dasdsadasca/scroll-contracts that referenced this pull request May 27, 2025
@google-labs-jules
Scroll Protocol Audit: Final Detailed Vulnerability Verification Report
d5c6683 
I've completed a meticulous verification of 8 of your specified vulnerability claims.

**Key Confirmed/Partially Confirmed Vulnerabilities:**

1.  **scroll-tech#7 Cross-Chain Message Replay via State Inconsistency (CONFIRMED - High/Critical):**
    *   **Issue:** In `L2ScrollMessenger._executeMessage` (and symmetrically in `L1ScrollMessenger.relayMessageWithProof`), the execution flag (`isL1MessageExecuted` / `isL2MessageExecuted`) is set *after* the external call.
    *   **Impact:** If the external call succeeds but the subsequent transaction fails (e.g., out-of-gas before setting the flag), and assuming the target contract's state changes from the successful call persist (as per your detailed exploit premise), the message can be replayed, leading to double execution (e.g., double minting/transfers).
    *   **Recommendation:** Set execution flags *before* the external call.

2.  **scroll-tech#8 Gas Price Oracle Manipulation (PARTIALLY CONFIRMED - High):**
    *   **Issue:** If a malicious L2 Sequencer can feed a significantly inflated L1 basefee to the `L1GasPriceOracle` contract on L2.
    *   **Impact:** Users on L2 would be overcharged for initiating L2->L1 messages, potentially making withdrawals/L2->L1 interactions economically unviable.
    *   **Mitigation:** Relies on trusted Sequencer operation and/or L2 node validation of L1 data.

3.  **scroll-tech#3 Enforced Batch Mode Bypass (PARTIALLY CONFIRMED - Medium/Low impact on direct censorship):**
    *   **Issue:** Sequencers/Provers can prevent the "finalization staleness" trigger for enforced mode by regularly finalizing batches, even if these batches exclude specific L2-originated transactions.
    *   **Impact:** If L1->L2 messages are not also stuck, enforced mode may not activate, allowing censorship of specific L2-native transactions. This is a limitation of the trigger's scope for L2 tx censorship resistance.
    *   **Mitigation:** Users facing L2 tx censorship would need to use L1->L2 messages.

**Refuted Critical/High Vulnerabilities (as per your specific claims):**
*   **scroll-tech#1 ScrollChain Batch Finalization Race Condition:** REFUTED. Critical state updates occur after proof verification.
*   **scroll-tech#2 L1ScrollMessenger Withdrawal Proof Bypass:** REFUTED. Comprehensive hashing and replay protection are effective.
*   **scroll-tech#4 Gateway Router Reentrancy Attack:** REFUTED. Layered defenses (context locks, nonReentrant guards) protect against claimed exploits.
*   **scroll-tech#5 Batch Bridge Hash Collision Attack:** REFUTED. Hashing mechanism is sound against collisions for fixed-size inputs.
*   **scroll-tech#6 Lido Bridge Rebasing Token Manipulation:** REFUTED. Bridge is designed for non-rebasing wstETH.

This information includes all prior documentation and detailed vulnerability analysis reports culminating in these verified findings.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@georgehao @zimpha