Storage Proofs

Curve

DeFiLayer 1Layer 2

14,723 OP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Lack of Access Control on commit() and apply()

richyikejiaku

Summary

Lack of Access Control on commit() and apply()

Vulnerability Details

Anyone can call commit() and apply() unless restricted in the implementation.

Malicious users could commit fake block hashes or override valid ones.

Impact

An attacker submits incorrect block hashes, leading to wrong state validation.

If these hashes are used for cross-chain validation or rollups, they could cause major financial losses.

Tools Used

@external

def commit() -> uint256:

"""

@notice Commit (and apply) a block hash/state root.

@dev Same as `apply()` but saves committer

"""

...

@external

def apply() -> uint256:

"""

@notice Apply a block hash/state root.

"""

...

Recommendations

Implement an access control mechanism (e.g., only allow trusted oracles/governance).

Updates

Lead Judging Commences

0xnevi Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

14,723 OP

Eagles

1,472 OP

nSLOC

394

37 OP / LOC

High Medium

12,700

Low

551

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.