|
| 1 | +# Ban `ExecutingMessage` Deposits: Failure Modes and Recovery Path Analysis |
| 2 | + |
| 3 | +| Author | Skeletor, Parti, Joxes | |
| 4 | +| --- | --- | |
| 5 | +| Created at | 2025-01-10 | |
| 6 | +| Initial Reviewers | Pending | |
| 7 | +| Needs Approval From | Kelvin Fichter | |
| 8 | +| Status | In Review | |
| 9 | + |
| 10 | +## Introduction |
| 11 | + |
| 12 | +This document is intended to be shared publicly for reviews and visibility purposes. It covers the changes introduced to ban calls to `validateMessage` in the `CrossL2Inbox` within a deposit. These changes involve contracts and client: |
| 13 | + |
| 14 | +- **Contracts**: |
| 15 | + - Updates to the `CrossL2Inbox` to revert on deposit transactions. |
| 16 | + - Updates to the `L1BlockInterop` to add `isDeposit`, `depositsComplete`, and `setL1BlockValuesInterop` external functions. |
| 17 | + |
| 18 | +- **Client**: |
| 19 | + - Updates to the `PreparePayloadAttributes` function within `derive/attributes.go`. |
| 20 | + - Adds `AfterForceIncludeSource` to `derive/deposit_source.go`. |
| 21 | + - Updates to the `derive/l1_block_info.go` to comply with the new contract changes specified above. |
| 22 | + |
| 23 | +Below are references for this project: |
| 24 | +- Both Contract and Client updates are documented in the following specs: |
| 25 | + - [interop: Specify deposit handling #258](https://github.com/ethereum-optimism/specs/pull/258). |
| 26 | +- Reference implementation can be found below: |
| 27 | + - `CrossL2Inbox`: https://github.com/ethereum-optimism/optimism/blob/develop/packages/contracts-bedrock/src/L2/CrossL2Inbox.sol |
| 28 | + - `L1BlockInterop`: https://github.com/ethereum-optimism/optimism/blob/develop/packages/contracts-bedrock/src/L2/L1BlockInterop.sol |
| 29 | + |
| 30 | +Note that this FMA doesn’t intend to cover the main features of core interop contracts for message passing. |
| 31 | + |
| 32 | +> 🗂️ **For more context about the Interop project, refer to the following docs:** |
| 33 | +> 1. [Interop System Diagram](https://www.notion.so/Superchain-Interop-16c8052fcbb24b93ad1a539b5f8db4c1?pvs=21) |
| 34 | +> 2. [Interop PID](https://www.notion.so/Superchain-Interop-16c8052fcbb24b93ad1a539b5f8db4c1?pvs=21) |
| 35 | +> 3. [Interop Audit Request](https://docs.google.com/document/d/1Rcuzbsguh7koT2jFru5ft9T8zAvjBEzbt0zF5LNQQ08/edit?tab=t.0) |
| 36 | +
|
| 37 | +## Failure Modes and Recovery Paths |
| 38 | + |
| 39 | +### FM1: An `ExecutingMessage` is emitted even if the `isDeposit` flag is correctly set, or `isDeposit` is not turned on before deposit transactions. |
| 40 | + |
| 41 | +- **Description:** If a deposit transaction calls `validateMessage` without reverting and emitting the event `ExecutingMessage`, the sequencer could be forced to include messages that do not correspond to an existing identifier. This could break multiple interop invariants and eventually lead to a bricked chain. |
| 42 | +- **Risk Assessment:** High. |
| 43 | + - Potential Impact: Critical. The impact of such an attack would vary depending on the message. Examples of economic attacks include: |
| 44 | + - Releasing all ETH from the `ETHLiquidity` contract. |
| 45 | + - Relaying an ERC20 with a custom amount never burned on the source chain. |
| 46 | + |
| 47 | + In the worst-case scenario, the chain could produce unsafe blocks that are subsequently rejected, leading to a reorg, which would effectively brick the chain afterwards. This occurs because the chain cannot progress with a deposit transaction containing an invalid execution. Services such as relay-based bridges could also face significant consequences if they fail to detect the situation promptly. |
| 48 | + |
| 49 | + - Likelihood: Low. This could only happen with a bugged implementation of the `CrossL2Inbox` check or a misconfiguration in `L1BlockInterop`. Even if the current implementation is bug-free, future upgrades can introduce these bugs. |
| 50 | +- **Mitigations:** Our current codebase includes the following tests: |
| 51 | + - Test to check that the `CrossL2Inbox` contract validates messages only when `isDeposit` is `false` ([test](https://github.com/ethereum-optimism/optimism/blob/ef6ef6fd45fc2b7ccd4bc06dc7e24f75c0dda362/packages/contracts-bedrock/test/L2/CrossL2Inbox.t.sol#L139)). |
| 52 | + - Test to check that the `CrossL2Inbox` contract reverts messages only when `isDeposit` is `true` ([test](https://github.com/ethereum-optimism/optimism/blob/ef6ef6fd45fc2b7ccd4bc06dc7e24f75c0dda362/packages/contracts-bedrock/test/L2/CrossL2Inbox.t.sol#L166)). |
| 53 | + - Test to check that the `L1BlockInterop` contract enforce the same `isDeposit` logic ([test](https://github.com/ethereum-optimism/optimism/blob/ef6ef6fd45fc2b7ccd4bc06dc7e24f75c0dda362/packages/contracts-bedrock/test/L2/L1BlockInterop.t.sol#L205)). |
| 54 | + - Test to check that the `L1BlockInterop` set `isDeposit` to `true` during the deposit context ([test](https://github.com/ethereum-optimism/optimism/blob/ef6ef6fd45fc2b7ccd4bc06dc7e24f75c0dda362/packages/contracts-bedrock/test/L2/L1BlockInterop.t.sol#L239)). |
| 55 | + |
| 56 | + The security team should be aware of this issue and check for it in every protocol version upgrade. There should be a way to prevent to process such deposits. One solution could be update `op-geth` to revert automatically if it detects an execution of a deposit transactions that generates any logs in the `CrossL2Inbox`. |
| 57 | +- **Detection:** It is possible to monitor new incoming deposits and simulate them before to include in L2. This also would allow the sequencer to delay the deposit’s inclusion until the sequencing window ends, in order to have a delay a a time buffer to fix the issue. Otherwise, chain will face a halt after deposit is tried to be included, which is easily detected. |
| 58 | +- **Recovery Path(s):** A chain halt followed by a fix and a reorg would be necessary. |
| 59 | + |
| 60 | +### FM2: `upgradeTxs` include an invalid `ExecutingMessage` |
| 61 | + |
| 62 | +- **Description:** The `isDeposit` bool is set off before the upgrade transactions, which are force-included. This implies that, if an upgrade transaction includes a call to `validateMessage`, the sequencer will be forced to include it, even if it doesn't point to an existing identifier. |
| 63 | +- **Risk Assessment:** Medium. |
| 64 | + - Potential Impact: High. It could impact the same way described in FM1. |
| 65 | + - Likelihood: Low. An upgrade transaction should not call `validateMessage()` unless it is somehow intended to (and therefore not malicious). What's more, every upgrade transaction should bypass many security checks. |
| 66 | +- **Mitigations:** Ideally, `upgradeTxs` should be enforced to be part of the deposit context, but since such upgrades have sudo privileges by nature—including the ability to turn off/remove the `isDeposit` flag—protocol changes would be required to actually enforce this rule. With the current implementation, during operations, every upgrade transaction should be simulated. An invalid Superchain state would be caught by the `op-supervisor` in simulations. |
| 67 | +- **Detection:** Upgrades are heavily monitored transactions, making it very unlikely to go unnoticed. |
| 68 | +- **Recovery Path(s):** Recovery would be similar to other bugged upgrades. See [Generic Hardfork FMA](https://github.com/ethereum-optimism/design-docs/blob/main/security/fma-generic-hardfork.md) for more details. |
| 69 | + |
| 70 | +### FM2: `isDeposit` is not turned off after deposit transactions |
| 71 | + |
| 72 | +- **Description:** If the `depositComplete` call within `L1BlockInterop` fails or is never initiated, the `isDeposit` flag might remain on. This would imply that every call to `validateMessage` will be seen as a deposit and therefore revert. |
| 73 | +- **Risk Assessment:** Low. |
| 74 | + - Potential Impact: Medium. Genuine cross-chain messages will not be able to execute. This should not be a major issue, as users can re-execute after the fix. |
| 75 | + - Likelihood: Low. This could happen if the `depositComplete` implementation is bugged or the sequencer is not triggering the call to the function. The latter could occur due to a client bug or an out-of-gas error, which is unlikely. |
| 76 | +- **Mitigations:** Our current codebase includes tests to check `L1BlockInterop` set `isDeposit` as `false` after the deposit context ends ([test](https://github.com/ethereum-optimism/optimism/blob/ef6ef6fd45fc2b7ccd4bc06dc7e24f75c0dda362/packages/contracts-bedrock/test/L2/L1BlockInterop.t.sol#L292)). The security team should know this issue and check for it in every protocol version. |
| 77 | +- **Detection:** Offchain services should be aware of this possibility for `validateMessage` reverts. |
| 78 | +- **Recovery Path(s):** Execute the proper fixes depending on whether it was a sequencer or contract error. Valid reverted messages can be re executed on destination, or resent if expired. |
| 79 | + |
| 80 | +### Generic items we need to take into account: |
| 81 | + |
| 82 | +- Every consideration already covered by the [Generic Hardfork FMA](https://github.com/ethereum-optimism/design-docs/blob/main/security/fma-generic-hardfork.md) will also apply to these changes. |
| 83 | +- It is important to have a good gas benchmark for `L1Block.depositsComplete()` in the client to minimize out of gas errors. |
| 84 | + |
| 85 | +## Action Items |
| 86 | + |
| 87 | +- [ ] Resolve all the comments. |
| 88 | +- [ ] FM1: Confirm whether the suggested changes to `op-geth` are considered (and implemented) or if other options are chosen. |
| 89 | +- [ ] FM1: Confirm whether deposit simulations and procedures are feasible or if alternative monitoring methods are being considered (as action items). |
| 90 | +- [ ] FM2: Confirm that the security team is aware of the lack of restrictions over upgradeTxs and closely monitor any future upgrade to ensure it does not call `validateMessage`. Ideally, we would like to have strong restrictions for `upgradeTxs`. |
| 91 | + |
| 92 | +## Audit Requirements |
| 93 | + |
| 94 | +We suggest the modifications for banning deposit triggering `ExecutingMessage` events go through an audit, as they affect a sensitive part of the protocol. Following on the [Audit Framework](https://gov.optimism.io/t/op-labs-audit-framework-when-to-get-external-security-review-and-how-to-prepare-for-it/6864), some presented failure modes are similar to the ”Deposit path no spoofing”, as it affects the validity of the deposits. In particular, referencing a non-existing cross-chain message with a deposit can be considered spoofing. |
| 95 | + |
| 96 | +## Additional Notes |
| 97 | + |
| 98 | +Something worth noticing is that implementing the ban deposit closes the door for intended `ExecutingMessage` emissions from deposits. This feature could be desirable to force valid cross-chain messages from L1 and bypass sequencer censorship. There is an active exploration to ensure that the censorship-resistance property, with the introduction of [preregistrations](https://github.com/ethereum-optimism/specs/issues/520). |
0 commit comments