V1.1.0 bone #2

nikashib · 2024-11-29T10:55:26Z

Changes found:

New RLP Reader added
New deployment script for adding old predicate and removing new one
Script for deploying new withdraw manager and updating proxy
MTP related changes and removing drain
Polygon’s PR: https://github.com/0xPolygon/pos-contracts/pull/21/files v2.2.0 0xPolygon/pos-contracts#19

Changes:

Updated MerklePatriciaProof file to fix MTP issue
Removed use of RLP reader in Rootchain contract
Removed use of RLP reader in WithdrawManager contract
Removed use of RLP reader in SlashingManager contract
Removed draining from validatorShare and stakeManager
Updated the deployment script and added validatorShare and StakeManager updates

MPT Issue
The key security issue here relates to the Merkle Patricia Trie node encoding specification:

In MPT, nodes with 2 elements can be either leaf nodes or extension nodes
Their prefix nibbles distinguish them:
- Leaf nodes must have prefix 2 or 3
- Extension nodes must have prefix 0 or 1

The vulnerability in the original code is that it doesn't validate these prefixes, which means:

An attacker could craft a proof where an extension node is treated as a leaf node or vice versa
This could lead to invalid proofs being accepted as valid, potentially allowing proof forgery

nikashib added 3 commits November 29, 2024 13:37

added rlpfix polygon fix/rlpfix#16

b9d93b1

added mtpfix polygon v2.2.0 0xPolygon#19

bd7ac16

rlpfix from mintable721

63ffe31

yannmart approved these changes Nov 29, 2024

View reviewed changes

Removed drain and slashing

e38f810

yannmart approved these changes Nov 29, 2024

View reviewed changes

nikashib added 2 commits November 29, 2024 20:24

updated deployment script

7b5cdad

addresses updated

38e14f8

yannmart self-requested a review November 29, 2024 19:08

yannmart approved these changes Nov 29, 2024

View reviewed changes

yannmart merged commit 4e21007 into v1.0.0-bone Nov 29, 2024
1 check failed

Provide feedback