-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
1d03eb9
commit 73d4731
Showing
7 changed files
with
73 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
title = "Out-of-order retryable transactions" | ||
verbose_name = "out-of-order-retryable" | ||
severity = "major" | ||
category = "antipattern" | ||
weight = 60 | ||
description = """ | ||
Out-of-order retryable transactions | ||
<!--more--> | ||
## Exploit Scenario | ||
```solidity | ||
contract L1 { | ||
function doStuffOnL2() external { | ||
// Retryable A | ||
IInbox(inbox).createRetryableTicket({ | ||
to: l2contract, | ||
l2CallValue: 0, | ||
maxSubmissionCost: maxSubmissionCost, | ||
excessFeeRefundAddress: msg.sender, | ||
callValueRefundAddress: msg.sender, | ||
gasLimit: gasLimit, | ||
maxFeePerGas: maxFeePerGas, | ||
data: abi.encodeCall(l2contract.claim_rewards, ()) | ||
}); | ||
// Retryable B | ||
IInbox(inbox).createRetryableTicket({ | ||
to: l2contract, | ||
l2CallValue: 0, | ||
maxSubmissionCost: maxSubmissionCost, | ||
excessFeeRefundAddress: msg.sender, | ||
callValueRefundAddress: msg.sender, | ||
gasLimit: gas, | ||
maxFeePerGas: maxFeePerGas, | ||
data: abi.encodeCall(l2contract.unstake, ()) | ||
}); | ||
} | ||
} | ||
contract L2 { | ||
function claim_rewards() public { | ||
// rewards is computed based on balance and staking period | ||
uint unclaimed_rewards = _compute_and_update_rewards(); | ||
token.safeTransfer(msg.sender, unclaimed_rewards); | ||
} | ||
// Call claim_rewards before unstaking, otherwise you lose your rewards | ||
function unstake() public { | ||
_free_rewards(); // clean up rewards related variables | ||
balance = balance[msg.sender]; | ||
balance[msg.sender] = 0; | ||
staked_token.safeTransfer(msg.sender, balance); | ||
} | ||
} | ||
``` | ||
Bob calls `doStuffOnL2` but the first retryable ticket calling `claim_rewards` fails. The second retryable ticket calling `unstake` is executed successfully. As a result, Bob loses his rewards. | ||
## Recommendation | ||
Do not rely on the order or successful execution of retryable tickets. | ||
## Learn more | ||
[out-of-order-retryable](https://github.com/crytic/slither/wiki/Detector-Documentation#out-of-order-retryable-transactions) on Slither's wiki. | ||
""" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters