Hardcoded Block Number in proof.py
Summary
The script relies on a fixed block number (BLOCK_NUMBER = 18578883), which could make it outdated or vulnerable to manipulation if not dynamically updated. This could lead to incorrect proofs being generated and used, potentially causing incorrect financial or state-related calculations.
Vulnerability Details
The block number is hardcoded in the script:
This means the script always uses the same block, regardless of network state changes. If the state at this block differs from the current state, the proof generated could be incorrect. Additionally, an attacker could exploit this by modifying the block state before submission.
Impact
Could lead to outdated or incorrect proofs being submitted.
If the proof is used for financial or governance purposes, incorrect values could propagate.
Tools Used
Code review
Static analysis of the proof.py script
Recommendations
Fetch the latest block dynamically using:
Implement validation to ensure the block number is current before generating a proof.
Add error handling to prevent execution if an invalid block is used.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.