Address aliasing is wrongfully applied even to EOAs #111
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
M-02
primary issue
Highest quality submission among a set of duplicates
🤖_05_group
AI based duplicate group recommendation
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/kkrt-labs/kakarot/blob/b8f5f2a20bd733cc8885c010291885e1df7dc50e/solidity_contracts/src/L1L2Messaging/L1KakarotMessaging.sol#L8
Vulnerability details
Proof of Concept
Kakarot inherits the address aliasing logic from Optimism as hinted in
AddressAliasHelper.sol
:Now this is a key property of the Optimism bridge, which is that all contract addresses are aliased. And this is done inorder to avoid a contract on L1 to be able to send messages as the same address on L2, because often these contracts will have different owners.
To go into more details about why & how this is used, we can see this: https://docs.optimism.io/chain/differences#address-aliasing:
That's to say we expect this aliasing logic to:
Issue however is that Kakarot applies this aliasing logic not only on contracts but even EOAs, see https://github.com/kkrt-labs/kakarot/blob/b8f5f2a20bd733cc8885c010291885e1df7dc50e/solidity_contracts/src/L1L2Messaging/L1KakarotMessaging.sol#L8:
Evidently, the classic contract check of
msg.sender != tx.origin
is missing which means even when the caller is an EOA it's still get aliased.Impact
Broken functionality for aliasing senders considering even EOAs get aliased instead of it just being restricted to smart contracts, i.e if developers implement access control checks on the sender of the transactions, say a deposit tx for e., they would have to believe that the address of the contract from the L1 is not aliased when it is an EOA however in Kakarot's case, it is. Therefore would result in unintentional bugs where the access control will be implemented incorrectly and these transactions will always fail.
Recommended Mitigation Steps
Apply an if
msg.sender != tx.origin
check instead and in the case where this ends up being true then alias the address otherwise let it be.Assessed type
Context
The text was updated successfully, but these errors were encountered: