Light
DarkOne Bug Per Day
One H/M every day from top Wardens
Join over 1025 wardens!
Receive the email at any hour!
The MIPS doesn't implement ADD, ADDI, and SUB instructions correctly
Lines of code
https://github.com/code-423n4/2024-07-optimism/blob/70556044e5e080930f686c4e5acde420104bb2c4/packages/contracts-bedrock/src/cannon/MIPS.sol#L921 https://github.com/code-423n4/2024-07-optimism/blob/70556044e5e080930f686c4e5acde420104bb2c4/packages/contracts-bedrock/src/cannon/MIPS.sol#L929
Vulnerability details
According to the specification (https://www.cs.cmu.edu/afs/cs/academic/class/15740-f97/public/doc/mips-isa.pdf), ADD (page A-28), ADDI (page A-29), and SUB (page A-144) instructions should raise an Integer Overflow exception if overflow occurs. The current implementation simply wraps the result in such cases and does not raise any exceptions.
solidity... function execute(uint32 insn, uint32 rs, uint32 rt, uint32 mem) internal pure returns (uint32 out) { unchecked { ... else if (func == 0x20) { return (rs + rt); } ... else if (func == 0x22) { return (rs - rt); } ... } } ...
This inconsistency leads to a situation where MIPS contract can't correctly emulate such cases and therefore allows malicious actors to successfully forge invalid claims and challenge valid claims.
Impact
An inconsistent implementation of big-endian 32-bit MIPS32 architecture in the MIPS contract allows malicious actors to successfully forge invalid claims and challenge valid claims.
Proof of Concept
-
Tools Used
Manual Review
Recommended Mitigation Steps
Consider raising Integer Overflow exception for ADD, ADDI, and SUB instructions if overflow occurs.
Assessed type
Math