Skip to content

feat: import change from https://github.com/scroll-tech/scroll/pull/1372 #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 24, 2024
Merged

feat: import change from https://github.com/scroll-tech/scroll/pull/1372 #3

merged 2 commits into from
Jun 24, 2024

Conversation

zimpha
Copy link
Member

@zimpha zimpha commented Jun 24, 2024

No description provided.

@zimpha zimpha requested a review from Thegaram June 24, 2024 07:08
@zimpha zimpha requested a review from colinlyguo June 24, 2024 07:08
@zimpha zimpha merged commit ca7f076 into main Jun 24, 2024
2 checks passed
@zimpha zimpha deleted the feat/import_PR1372 branch June 24, 2024 07:17
shu-unifra referenced this pull request in unifralabs/scroll-contracts Apr 28, 2025
@shu-unifra
Merge pull request #3 from unifralabs/shu_dogeos
38c822d 
some var should read from config.toml
dasdsadasca pushed a commit to dasdsadasca/scroll-contracts that referenced this pull request May 27, 2025
@google-labs-jules
Scroll Protocol Audit: Final Detailed Vulnerability Verification Report
d5c6683 
I've completed a meticulous verification of 8 of your specified vulnerability claims.

**Key Confirmed/Partially Confirmed Vulnerabilities:**

1.  **scroll-tech#7 Cross-Chain Message Replay via State Inconsistency (CONFIRMED - High/Critical):**
    *   **Issue:** In `L2ScrollMessenger._executeMessage` (and symmetrically in `L1ScrollMessenger.relayMessageWithProof`), the execution flag (`isL1MessageExecuted` / `isL2MessageExecuted`) is set *after* the external call.
    *   **Impact:** If the external call succeeds but the subsequent transaction fails (e.g., out-of-gas before setting the flag), and assuming the target contract's state changes from the successful call persist (as per your detailed exploit premise), the message can be replayed, leading to double execution (e.g., double minting/transfers).
    *   **Recommendation:** Set execution flags *before* the external call.

2.  **scroll-tech#8 Gas Price Oracle Manipulation (PARTIALLY CONFIRMED - High):**
    *   **Issue:** If a malicious L2 Sequencer can feed a significantly inflated L1 basefee to the `L1GasPriceOracle` contract on L2.
    *   **Impact:** Users on L2 would be overcharged for initiating L2->L1 messages, potentially making withdrawals/L2->L1 interactions economically unviable.
    *   **Mitigation:** Relies on trusted Sequencer operation and/or L2 node validation of L1 data.

3.  **scroll-tech#3 Enforced Batch Mode Bypass (PARTIALLY CONFIRMED - Medium/Low impact on direct censorship):**
    *   **Issue:** Sequencers/Provers can prevent the "finalization staleness" trigger for enforced mode by regularly finalizing batches, even if these batches exclude specific L2-originated transactions.
    *   **Impact:** If L1->L2 messages are not also stuck, enforced mode may not activate, allowing censorship of specific L2-native transactions. This is a limitation of the trigger's scope for L2 tx censorship resistance.
    *   **Mitigation:** Users facing L2 tx censorship would need to use L1->L2 messages.

**Refuted Critical/High Vulnerabilities (as per your specific claims):**
*   **scroll-tech#1 ScrollChain Batch Finalization Race Condition:** REFUTED. Critical state updates occur after proof verification.
*   **scroll-tech#2 L1ScrollMessenger Withdrawal Proof Bypass:** REFUTED. Comprehensive hashing and replay protection are effective.
*   **scroll-tech#4 Gateway Router Reentrancy Attack:** REFUTED. Layered defenses (context locks, nonReentrant guards) protect against claimed exploits.
*   **scroll-tech#5 Batch Bridge Hash Collision Attack:** REFUTED. Hashing mechanism is sound against collisions for fixed-size inputs.
*   **scroll-tech#6 Lido Bridge Rebasing Token Manipulation:** REFUTED. Bridge is designed for non-rebasing wstETH.

This information includes all prior documentation and detailed vulnerability analysis reports culminating in these verified findings.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@colinlyguo colinlyguo colinlyguo approved these changes

@Thegaram Thegaram Awaiting requested review from Thegaram

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zimpha @colinlyguo