The chainID field in the transaction passed to the execute method in the ECDSAContractAccount is not checked, and as such L1 messages can be replayed by anyone on L2.

When combined with B02, this allows an attacker to steal from any user that reuses their L1 address on L2 by replaying L1 transactions with insufficient gas and pocketing the excess.

The amount stolen is limited by the total amount ever spent on gas by that account on L1, and the attacker must also pay to include the replayed transactions on L2. Nevertheless, it seems reasonable to suggest that the attacker could profit to the tune of several hundred or thousand dollars for an active L1 account.

The gas specified in the transaction to be executed by the ECDSAContractAccount can be higher than the gas provided by the relayer. This allows the relaying party to force any transactions to run out of gas at will, while still incrementing the nonce and marking the transaction as executed.

As noted below, the relayer always receives gasLimit * gasPrice L2 WETH as payment, independent of the actual gas used during execution. This means that relayers can profit by forcing an out of gas in the execution of the relayed transaction, while still collecting the full gas payment.

In order to guarantee that the gas provided by the relayer is sufficient to execute the transaction with decodedTx.gasLimit gas forwarded to the inner call, we recommend to add a check:

Lib_SafeExecutionManagerWrapper.safeREQUIRE(
    gasleft() >= safeAdd(decodedTx.gasLimit, buffer)
)

where buffer is sufficient to cover the gas costs of all of the transactions up to and including the CALL/CREATE which forms the entrypoint of the transaction.

The fee that pays gas for the transaction in the OVM_ECDSAContractAccount is computed directly by gasLimit * gasPrice and is not dependent on the actual gas used.

This leads to users overpaying for transactions when supplying more gas then necessary.

The audit team recommends that the remaining gas should be returned back to the user after the call is performed.

The calculation of the fee paid to the relayer in the ECDSAContractAccount is made using unchecked arithmetic (uint256 fee = decodedTx.gasLimit * decodedTx.gasPrice), where both gasLimit and gasPrice are user provided. This allows users to craft transactions that have a very high gas price or gas limit which do not result in a corresponding fee payment to the relayer.

A similar issue exists in the calculation of the gas limit to be used when creating a new contract. In this case, setting a gas limit lower than 2000 results in an arithmetic underflow, and a huge gas limit will be passed to the call to LibSafeExecutionManagerWrapper.safeCREATE.

This allows users to execute transactions at a very high cost without sufficient compensation to the relayer.

The call to transfer L2 WETH to pay for gas usage ECDSAContractAccount can REVERT, and the transaction will still execute despite the relayer not being compensated for the gas usage.

The audit team recommends to require a successful transfer before executing the transaction.

In Lib_Bytes32Utils, the address _in is cast to a bytes32 as: bytes32(bytes20(_in)). The bytes20 cast right pads its argument, which makes this casting inconsistent with the corresponding toAddress cast: address(uint160(uint256(_in))) which assumes the argument to be left padded.

A lack of safemath on L168 and L100 in LibBytesUtils can cause malformed input data to bypass the out of bounds check, which leads to slice trying to allocate 2 ^ 256 -1 bytes of memory, for example given the input LibBytesUtils.slice(bytes(""), 1).

This will clearly always fail and consume all available gas.

Recommendation: use safemath here, and elsewhere.

As of version 0.6.0, Solidity supports slices of bytestrings natively. However, only calldata bytestrings are currently supported. The audit team recommends using native slices wherever possible instead of the custom implementation in LibBytesUtils.

There is a memory corruption issue in Lib_RLPWriter that can cause unexpected division by zero, resulting in an assertion violation and unexpected transaction failures.

The error (as well as the related problem in LibBytesUtils.slice) stems from an incorrect usage of the Solidity free memory pointer.

By convention, Solidity stores the currently allocated memory size at memory locations 0x40-0x5f, which can be retrieved by mload(0x40) in assembly. However, memory is not guaranteed to be empty at this location as:

Solidity always places new objects at the free memory pointer and memory is never freed (this might change in the future).

Recommendation: always make sure to clear memory before writing.

The assembly code in LibBytesUtils.slice suffers from the same problem as Lib_RLPWriter.writeAddress wherein memory is not cleared before it is being used, leading to incorrect output and OOG errors.

The code here is copied from solidity-bytes-utils by Gonçalo Sá. The audit team notified the author who promptly addressed the issue with this fix.

The ovmSETNONCE opcode allows users to set their nonce to an arbitrary value, including uint(-1). It also contains a check ensuring that the new nonce is greater than the current nonce. This check is not present if the nonce is incremented during a contract deployment with ovmCREATE.

If users set their nonce to uint(-1) and call ovmCREATE, the nonce will overflow and will end up 0.

This allows for users to replay their own transactions, which means that the OVM chain can have multiple state transitions triggered by the same transaction hash, invalidating the assumption made by ethereum clients that transaction hashes are sufficient to identify transactions.

The value field in the transaction passed to OVM_ECDSAContractAccount is silently ignored. Since native ether does not exist as such on L2, a nonzero value doesn't have any effect. Regardless, accepting nonzero values can lead to confusion and the risk of social engineering attacks depending on how these are displayed by chain explorers, etc.

The audit team recommends to add a check that will call safeREVERT if the _transaction.value field is non-zero.

The OVM contracts make extensive use of unchecked arithmetic, even in calculations involving values that can be controlled by end users. This makes reasoning about the code significantly more challenging and unnecessarily increases the risk of an unintentional overflow (several such issues were found as part of this engagement).

The audit team recommends replacing all uses of unchecked arithmetic with a safe math abstraction that calls OVM_ExecutionManager.safeRevert if an overflow is detected.

Lib_BytesUtils.concat is a complex piece of hand written assembly. The same result can be achieved by using abi.encodePacked.

The audit team recommends relying on the standard and well tested implementation in the solc compiler and replacing all usage of Lib_BytesUtils.concat with abi.encodePacked.

EIP-1967 specifies a standard storage slot to be used for proxy implementation addresses.

Usage of this standardized storage slot would enable easier integration of the OVM into block explorers or other external tooling.

The following storage variables do not change after construction and can be made immutable:

• OVM_StateTransitioner.preStateRoot
• OVM_StateTransitioner.stateTransitionIndex
• OVM_StateTransitioner.transactionhash
• OVM_CanonicalTransactionChain.forceInclusionPeriodSeconds
• OVM_ExecutionManager.safetyChecker

Lines 61 and 71 of OVM_SequqncerEntrypoint contain redundant casts to uint8 for the v value of the signature. v is already given type uint8 on line 46.

These can be safely removed.

The documentation of the expected calldata layout for the OVM_SequencerEntrypoint is missing an entry for the v parameter of the signature.

Both Lib_OVMCodec and OVM_SequencerEntryPoint contain separate definitions of semantically equivalent transaction type enums.

The audit team recommends removing the enum from OVM_SequencerEntryPoint and using the implementation from Lib_OVMCodec throughout.

The OVM contracts use the ABIEncoderV2. Although recently moved out of "experimental" status, the V2 encoder is still less tested than the V1 encoder and has been the cause of many recent solc bugs (ref). Usage of the V2 encoder increases the risk that a vulnerability will be introduced into the contracts by solc during compilation.

The ECDSAContractAccount accepts transactions with gasLimit and nonce of uint256, whereas geth caps these values as the max value of a uint64.

The ordering of fields in the two transaction encodings supported by the ECDSAContractAccount differs. This may make life slightly harder for those integrating with the OVM.

The ovmCREATEOA opcode does perform any checks on the contents of the message it has been passed, and as such allows anyone to create an EOA on the OVM on behalf of any possible public key, by passing messageHash=0 hash.

EOA accounts can be arbitrarily upgraded by their users, including to an implementation that does not pay a relayer fee. Relayers should maintain a client side allowlist of known good EOA implementations.

Traders often use transactions to the zero address as a way to cancel pending orders.

The usage of transactions to zero as a sentinel value to indicate contract creation within the ECDSAContractAccount may interfere with these workflows.