Storage Proofs

Summary

The submit_proof() function in proof.py does not validate whether the proofs contain properly formatted RLP-encoded data before submission. This could allow corrupted or tampered proofs to be submitted, potentially leading to incorrect state verification.

Vulnerability Details

The function reads proofs from files (header.txt, proof.txt) or receives them as input but does not perform any validation.

• If an attacker manipulates these files or inputs invalid/corrupted data, the function still attempts to submit the proof.

• This could result in the acceptance of incorrect or fraudulent state data, affecting the correctness of contract interactions.

Impact

If incorrect or manipulated proofs are accepted, this could lead to incorrect on-chain state verification, potentially affecting financial transactions or system integrity.

Tools Used

Manual code review

• Web3.py debugging

• RLP encoding validation tools

Recommendations

Implement validation checks to ensure the proof is correctly formatted before submission.

• Use try-except blocks to catch RLP decoding errors before submission.

• Add hash verification to ensure that proofs have not been tampered with before they are used.