Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Satanic_angel - _queueIndex is never emptied, so it can become quite large thus type-casting it to uint64 can lead to overflow #246

Open
sherlock-admin4 opened this issue Sep 23, 2024 · 0 comments
Open

Satanic_angel - _queueIndex is never emptied, so it can become quite large thus type-casting it to uint64 can lead to overflow #246

sherlock-admin4 opened this issue Sep 23, 2024 · 0 comments

Comments

@sherlock-admin4
Copy link
Contributor

sherlock-admin4 commented Sep 23, 2024
edited by sherlock-admin3
Loading

Satanic_angel

Medium

_queueIndex is never emptied, so it can become quite large thus type-casting it to uint64 can lead to overflow

Summary

typecasting of _queueIndex variable in QueueTransaction event in the L1MessageQueueWithGasPriceOracle.sol file can lead to overflow of the value thus leading to invalid queue data

Root Cause

 function _queueTransaction(
        address _sender,
        address _target,
        uint256 _value,
        uint256 _gasLimit,
        bytes calldata _data
    ) internal {
        // compute transaction hash
        uint256 _queueIndex = messageQueue.length;
        //
        bytes32 _hash = computeTransactionHash(_sender, _queueIndex, _value, _target, _gasLimit, _data);

        messageQueue.push(_hash);

        // emit eventoverflow
        emit QueueTransaction(_sender, _target, _value, uint64(_queueIndex), _gasLimit, _data);
    }

QueueTransaction event has typecasting of uint256 to uint64 which can lead to overflow of the index values thus leading to invalid queue data for the Sequencer

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

Invalid queue value can lead to invalid sequencer functioning thus leading to failure in bridging of the values and stuck of funds

PoC

No response

Mitigation

Do not typecast to uint64
@sherlock-admin3 sherlock-admin3 changed the title Teeny Pastel Sawfish - _queueIndex is never emptied, so it can become quite large thus type-casting it to uint64 can lead to overflow Satanic_angel - _queueIndex is never emptied, so it can become quite large thus type-casting it to uint64 can lead to overflow Oct 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin4