Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

lemonmon - overview, withdrawals: DepositFeed does not exist #161

Open
github-actions bot opened this issue Feb 20, 2023 · 0 comments
Open

lemonmon - overview, withdrawals: DepositFeed does not exist #161

github-actions bot opened this issue Feb 20, 2023 · 0 comments
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Reward A payout will be made for this issue Specification An issue related to the specification (low severity)

Comments

@github-actions
Copy link

lemonmon

low

overview, withdrawals: DepositFeed does not exist

Summary

There is no DepositFeed contract. The implementation of Deposit contract would be OptimismPortal.
There are some multiple occasions of incorrect information, for example, stating that Optimism Portal inherits from DepositFeed contract.

Also, using "Deposit Contract" and DepositFeed contract interchangeably may confuse the reader.

Vulnerability Detail

https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/specs/overview.md?plain=1#L52

There is no DepositFeed contract. It should be OptimismPortal contract.

 - The `OptimismPortal` contract emits `TransactionDeposited` events, which the rollup driver reads in order to process

https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/specs/overview.md?plain=1#L109

Here as well, the DepositFeed contract should be OptimismPortal contract.

call the `depositTransaction` method on the `OptimismPortal` contract. This in turn emits `TransactionDeposited` events,

https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/specs/overview.md?plain=1#L144

Here as well, the DepositFeed contract should be OptimismPortal contract.

deposits initiated via the `OptimismPortal` contract on L1. All L2 blocks can also contain _sequenced transactions_, i.e.

https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/specs/withdrawals.md?plain=1#L133-L135

The OptimismPortal inherits Initializable, ResourceMetering and Semver and there is no DepositFeed contract in the inheritance tree.

Impact

Factually wrong specs

Code Snippet

https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/specs/overview.md?plain=1#L52
https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/specs/overview.md?plain=1#L109
https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/specs/overview.md?plain=1#L144
https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/specs/withdrawals.md?plain=1#L133-L135

Tool used

Manual Review

Recommendation

Use "Deposit Contract" or OptimismPortal depending on the context, instead of DepositFeed contract.
@github-actions github-actions bot added Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Specification An issue related to the specification (low severity) labels Feb 20, 2023
This was referenced Feb 20, 2023
Closed
Closed
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Feb 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Reward A payout will be made for this issue Specification An issue related to the specification (low severity)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin