Skip to content
This repository has been archived by the owner on Jul 28, 2024. It is now read-only.

eeshenggoh - The verification can lead to Merkle tree collision #10

Closed
sherlock-admin2 opened this issue Jan 22, 2024 · 4 comments
Closed
Labels
Non-Reward This issue will not receive a payout Sponsor Disputed The sponsor disputed this issue's validity

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Jan 22, 2024

eeshenggoh

medium

The verification can lead to Merkle tree collision

Summary

AvailBridge utilizes Merkle Proof for leaf verification; however, it overlooks the verification of the length of the leaf bytes.

Vulnerability Detail

It's a must to ensure to avoid using leaf values that are 64 bytes long before hashing or utilize a hash function other than keccak256 for hashing leaves. This is because the concatenation of a sorted pair of internal nodes in the Merkle tree could be reinterpreted as a leaf value.

abi.encode encodes the params according to the ABI specs. Params are padded out to 32 bytes.
Since abi.encode(bytes32,bytes32) will also be 64 bytes it is possible to have a hash collision between a leaf and a parent node.

Reference & Credits

Impact

The leaf and parent data have the same 64-byte size, allowing hash collisions between a leaf and any node. This enables the repetition of proofs using subtrees as leaves, leading to the creation of fraudulent proofs.

Code Snippet

https://github.com/sherlock-audit/2023-12-avail/blob/1afb56b8d4dfbf5d3f21bed0ddf80a04730204b5/contracts/src/interfaces/IAvailBridge.sol#L22C1-L39C6

//contracts/src/interfaces/IAvailBridge.sol
    struct MerkleProofInput {
        // proof of inclusion for the data root
        bytes32[] dataRootProof;
        // proof of inclusion of leaf within blob/bridge root
        bytes32[] leafProof;
        // abi.encodePacked(startBlock, endBlock) of header range commitment on vectorx
        bytes32 rangeHash;
        // index of the data root in the commitment tree
        uint256 dataRootIndex;
        // blob root to check proof against, or reconstruct the data root
        bytes32 blobRoot; //@audit 
        // bridge root to check proof against, or reconstruct the data root
        bytes32 bridgeRoot;//@audit 
        // leaf being proven
        bytes32 leaf;
        // index of the leaf in the blob/bridge root tree
        uint256 leafIndex;
    }

https://github.com/sherlock-audit/2023-12-avail/blob/1afb56b8d4dfbf5d3f21bed0ddf80a04730204b5/contracts/src/AvailBridge.sol#L491

 dataRootCommitment, input.dataRootIndex, keccak256(abi.encode(input.blobRoot, input.bridgeRoot))

Tool used

Manual Review

Recommendation

Use a combination of variables that does not sum to 64 bytes

@QEDK
Copy link

QEDK commented Jan 22, 2024

It is theoretically impossible to find a leaf-pair combination that corresponds to a specific concatenated hash. Secondly, since the alignment of blobRoot and bridgeRoot is fixed and both have to be revealed during a transaction, it is unclear how an internal node collision is feasible - for e.g. an internal node will never be 0x0 and it is impossible to find an internal node that resembles either root. Submit a PoC and/or proper theoretical explanation for this attack vector.

@sherlock-admin
Copy link
Contributor

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid because { invalid: same as previous issue which was deemed invalid : https://github.com/sherlock-audit/2023-12-footium-judging/issues/5}

@QEDK QEDK added the Sponsor Disputed The sponsor disputed this issue's validity label Jan 24, 2024
@QEDK
Copy link

QEDK commented Jan 24, 2024

Disputing per what I've said before + until there is a valid PoC.

@cvetanovv cvetanovv removed the Medium A valid Medium severity issue label Jan 24, 2024
@cvetanovv
Copy link
Collaborator

I'm closing this issue for now. If Watson wants he can escalate and provide a POC

@sherlock-admin2 sherlock-admin2 changed the title Electric Rusty Haddock - The verification can lead to Merkle tree collision eeshenggoh - The verification can lead to Merkle tree collision Jan 24, 2024
@sherlock-admin2 sherlock-admin2 added Non-Reward This issue will not receive a payout and removed Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels Jan 24, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Non-Reward This issue will not receive a payout Sponsor Disputed The sponsor disputed this issue's validity
Projects
None yet
Development

No branches or pull requests

4 participants