hubble-contracts icon indicating copy to clipboard operation
hubble-contracts copied to clipboard

Published 20 hours ago verified publisher icon thehubbleproject

Disallow calling processWithdrawCommitment twice

Open duckception opened this issue 3 years ago • 4 comments
trafficstars

Currently, anyone can call processWithdrawCommitment multiple times which may lead to permanent lock up of tokens in the WithdrawManager. This PR fixes it and removes redundant code from the Vault smart contract.

duckception avatar Jan 04 '22 09:01 duckception

I feel that this issue should be resolved together with #664 and we would come up with a better solution then.

msieczko avatar Jan 13 '22 13:01 msieczko

I agree with @msieczko , resolving https://github.com/thehubbleproject/hubble-contracts/issues/664 would be a better path forward. @duckception Appreciate you taking a stab at trying to resolve this.

jacque006 avatar Jan 20 '22 23:01 jacque006

Issue described in #664 should be now resolved 🚀

Additionally, I have a question @jacque006. What is the purpose of validateAndApply functions in FrontendCreate2Transfer.sol and FrontendMassMigration.sol contracts?

duckception avatar Jan 21 '22 12:01 duckception

We've discovered that changing just the nonce is not enough to prevent withdraw roots collision. Hubble allows registration of multiple user states for the same pubkey ID, therefore there still can be a case where withdraw root collision could happen (see modified test in rollup.massMigration.test.ts). To overcome this, I've added a new user state structure, just for mass migrations, that additionally takes into account state ID of the sender and is now used to generate collision-free withdraw root.

duckception avatar Feb 18 '22 11:02 duckception