feat(ctb): Enforce EOA for `addLeavesLPP` (#9022)

* Enforce that `tx.origin == msg.sender` in `addLeavesLPP` * rebase * rebase

feat(ctb): Enforce EOA for `addLeavesLPP` (#9022)
* Enforce that `tx.origin == msg.sender` in `addLeavesLPP` * rebase * rebase
ead6ebba · clabby · GitHub · 41c2d871 · ead6ebba · ead6ebba
Commit ead6ebba authored Jan 16, 2024 by clabby Committed by GitHub Jan 17, 2024
8 changed files
--- a/op-bindings/bindings/alphabetvm.go
+++ b/op-bindings/bindings/alphabetvm.go
--- a/op-bindings/bindings/preimageoracle.go
+++ b/op-bindings/bindings/preimageoracle.go
--- a/op-bindings/bindings/preimageoracle_more.go
+++ b/op-bindings/bindings/preimageoracle_more.go
--- a/packages/contracts-bedrock/slither-report.json
+++ b/packages/contracts-bedrock/slither-report.json
@@ -1096,10 +1096,10 @@
    "impact": "Medium",
    "confidence": "Medium",
    "check": "uninitialized-local",
-    "description": "PreimageOracle.challengeFirstLPP(address,uint256,PreimageOracle.Leaf,bytes32[]).stateMatrix (src/cannon/PreimageOracle.sol#383) is a local variable never initialized\n",
+    "description": "PreimageOracle.challengeFirstLPP(address,uint256,PreimageOracle.Leaf,bytes32[]).stateMatrix (src/cannon/PreimageOracle.sol#390) is a local variable never initialized\n",
    "type": "variable",
    "name": "stateMatrix",
-    "start": 17601,
+    "start": 17901,
    "length": 40,
    "filename_relative": "src/cannon/PreimageOracle.sol"
  },

--- a/packages/contracts-bedrock/snapshots/abi/PreimageOracle.json
+++ b/packages/contracts-bedrock/snapshots/abi/PreimageOracle.json
@@ -700,6 +700,11 @@
    "name": "InvalidProof",
    "type": "error"
  },
+  {
+    "inputs": [],
+    "name": "NotEOA",
+    "type": "error"
+  },
  {
    "inputs": [],
    "name": "NotInitialized",

--- a/packages/contracts-bedrock/src/cannon/PreimageOracle.sol
+++ b/packages/contracts-bedrock/src/cannon/PreimageOracle.sol
@@ -189,6 +189,10 @@ contract PreimageOracle is IPreimageOracle {
    /// @notice Initialize a large preimage proposal. Must be called before adding any leaves.
    function initLPP(uint256 _uuid, uint32 _partOffset, uint32 _claimedSize) external {
+        // The caller of `addLeavesLPP` must be an EOA.
+        if (msg.sender != tx.origin) revert NotEOA();
+        // The part offset must be within the bounds of the claimed size + 8.
        if (_partOffset >= _claimedSize + 8) revert PartOffsetOOB();
        LPPMetaData metaData = proposalMetadata[msg.sender][_uuid];
@@ -211,6 +215,9 @@ contract PreimageOracle is IPreimageOracle {
    )
        external
    {
+        // The caller of `addLeavesLPP` must be an EOA.
+        if (msg.sender != tx.origin) revert NotEOA();
        // If we're finalizing, pad the input for the submitter. If not, copy the input into memory verbatim.
        bytes memory input;
        if (_finalize) {

--- a/packages/contracts-bedrock/src/cannon/libraries/CannonErrors.sol
+++ b/packages/contracts-bedrock/src/cannon/libraries/CannonErrors.sol
@@ -33,3 +33,6 @@ error BadProposal();
 /// @notice Thrown when attempting to add leaves to a preimage proposal that has not been initialized.
 error NotInitialized();
+/// @notice Thrown when the caller of a function is not an EOA.
+error NotEOA();
--- a/packages/contracts-bedrock/test/cannon/PreimageOracle.t.sol
+++ b/packages/contracts-bedrock/test/cannon/PreimageOracle.t.sol
@@ -173,6 +173,9 @@ contract PreimageOracle_LargePreimageProposals_Test is Test {
    function setUp() public {
        oracle = new PreimageOracle();
        vm.label(address(oracle), "PreimageOracle");
+        // Set `tx.origin` and `msg.sender` to `address(this)` so that it may behave like an EOA for `addLeavesLPP`.
+        vm.startPrank(address(this), address(this));
    }
    /// @notice Tests that the `initLPP` function reverts when the part offset is out of bounds of the full preimage.
@@ -216,6 +219,26 @@ contract PreimageOracle_LargePreimageProposals_Test is Test {
        console.log("Gas for 4MB: %d", (gasUsed / data.length) * 4000000);
    }
+    /// @notice Tests that the `addLeavesLPP` function may never be called when `tx.origin != msg.sender`
+    function test_addLeaves_notEOA_reverts() public {
+        // Allocate the preimage data.
+        bytes memory data = new bytes(136 * 500);
+        // Initialize the proposal.
+        oracle.initLPP(TEST_UUID, 0, uint32(data.length));
+        // Add the leaves to the tree (2 keccak blocks.)
+        LibKeccak.StateMatrix memory stateMatrix;
+        bytes32[] memory stateCommitments = _generateStateCommitments(stateMatrix, data);
+        // Replace the global prank, set `tx.origin` to `address(0)`, and set `msg.sender` to `address(this)`.
+        vm.stopPrank();
+        vm.prank(address(0), address(this));
+        vm.expectRevert(NotEOA.selector);
+        oracle.addLeavesLPP(TEST_UUID, data, stateCommitments, true);
+    }
    /// @notice Tests that leaves can be added the large preimage proposal mapping and proven to be contained within
    ///         the computed merkle root.
    function test_addLeaves_multipleParts_succeeds() public {