L2Sender reinit fix

[maurelian]

Replaces #8797 which was accidentally closed.

Description

Fixes an issue which would allow for a single messages to be replayed twice by intercepting an upgrade.

This is addressed in two ways:

• Do not over the xDomainMsgSender if it is not the default value.
• Added another check that successfulMessages for the message is still false after the
  external call.

Exploit Description

To perform the exploit, the following steps must be taken by the attacker:

1. Wait for a signed upgrade transaction.
2. Once the signed upgrade transaction is available, front-run by running it inside a
   withdrawal transaction.
3. The attacker's withdrawal payload will call their own contract which would run the
   upgrade transaction and then re-enter relayMessage() with their own same
   withdrawal message.
4. The reentrancy will succeed since xDomainMsgSender has been reset by the upgrade.

The attacker must also satisfy the following with their withdrawal message:

1. It must be a failed withdrawal so they can re-enter relayMessage(). A fresh withdrawal
   cannot reenter as it checks failedMessages[versionedHash] is true.
2. It must have a value set. The amount for value is the amount that they will able to
   drain from the contract.

[codecov]

Codecov Report

Attention: 5 lines in your changes are missing coverage. Please review.

Comparison is base (8ba2e1e) 34.81% compared to head (d03df25) 25.90%.
Report is 1 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #8864      +/-   ##
===========================================
- Coverage    34.81%   25.90%   -8.91%     
===========================================
  Files          165      117      -48     
  Lines         7100     4821    -2279     
  Branches      1198     1050     -148     
===========================================
- Hits          2472     1249    -1223     
+ Misses        4476     3466    -1010     
+ Partials       152      106      -46     

Flag	Coverage Δ
cannon-go-tests	?
chain-mon-tests	27.14% <ø> (ø)
common-ts-tests	?
contracts-bedrock-tests	20.60% <0.00%> (-0.04%)	⬇️
contracts-ts-tests	12.25% <ø> (ø)
core-utils-tests	?
sdk-next-tests	42.08% <ø> (ø)
sdk-tests	42.08% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
...ontracts-bedrock/src/L1/L1CrossDomainMessenger.sol	0.00% <ø> (ø)
...ontracts-bedrock/src/L2/L2CrossDomainMessenger.sol	0.00% <ø> (ø)
...ckages/contracts-bedrock/src/L1/OptimismPortal.sol	0.00% <0.00%> (ø)
...cts-bedrock/src/universal/CrossDomainMessenger.sol	0.00% <0.00%> (ø)

... and 48 files with indirect coverage changes

[coderabbitai]

Walkthrough

Walkthrough

The updates across various contracts in the Optimism bedrock package focus on incrementing semantic versions and enhancing security. The version increments reflect new features or fixes. Security improvements include additional checks to prevent reentrancy attacks and ensure that messages are not relayed multiple times. A specific fix ensures that if an l2Sender is the zero address, it is set to a default value during initialization.

Changes

File Path	Change Summary
.../L1CrossDomainMessenger.sol .../OptimismPortal.sol .../L2CrossDomainMessenger.sol	Updated semantic versions and added conditional assignment for l2Sender.
.../CrossDomainMessenger.sol	Added checks to prevent reentrancy and double message relaying, updated initialization logic.
.../L1/L1CrossDomainMessenger.t.sol	Updated comments and test logic to reflect reentrancy vulnerability regression test and ensure reversion on replayed message during reinitialization.

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

---

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit-tests for this file.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit tests for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository from git and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit tests.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

CodeRabbit Discord Community

Join our Discord Community to get help, request features, and share feedback.

[semgrep-app]

Semgrep found 1 todos_require_linear finding:

• op-conductor/conductor/service.go: L352

Please create a GitHub ticket for this TODO.

_{Ignore this finding from todos_require_linear.}

[mds1]

nit 😅

Suggested change

	// a reentrant withdrawal to sandwhich the upgrade replay a withdrawal twice.
	// a reentrant withdrawal to sandwich the upgrade to replay a withdrawal twice.