Lines of code

Vulnerability details

Impact

Due to this bug, a user can send arbitrarily long messages (greater than a certain length) from L2 to L1 without paying for the gas that is required for publishing data on L1.

Proof of Concept

Below is a PoC contract called “Test” that illustrates the bug. The state variable “messageLength” corresponds to the “_message.length” variable in line 37 of the L1Messenger.sol. “messageLength” has a specific value; messages with length >= “messageLength” can be passed from L2 to L1 without paying the required gas fees.

This is asserted through the function “check()” in the PoC that contains only the vulnerable computation part of the L1Messenger.sol (basically, the computaion of “pubdataLen” in the unchecked scope). Due to the presence of the “unchecked { }” scope, the computation of “pubdataLen” can overflow for messages having length >= “messageLength”.

// SPDX-License-Identifier: GPL-3.0

pragma solidity ^0.8.0;

contract Test {

uint256 public messageLength = ((((2**256) - 64) / 32) * 32) - 31;

function check() external view {

    unchecked {

        uint256 pubdataLen = ((messageLength + 31) / 32) * 32 + 64;
        assert(pubdataLen == 0);
    }
}

}

Tools Used

Remix IDE

Recommended Mitigation Steps

It is recommended to remove the “unchecked { }” scope currently used for calculating “pubdataLen”. This is because messages can be arbitrarily long and thus, the computation of “pubdataLen” can overflow.

---

The text was updated successfully, but these errors were encountered:

All reactions