Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Cloak V1>Low findings>The function ,commitBatch, can be executed before the function ,importGenesisBatch
GeneralOverview
Findings
Medium (2)
Low (1)The function commitBatch can be executed before the function importGenesisBatch
Threat ModelWhat are threat models?FastWithdrawVault.solL1ERC20GatewayValidium.solL1WETHGatewayValidium.solScrollChainValidium.sol
Audit ResultsAssessment Results
Category: Business Logic

The function commitBatch can be executed before the function importGenesisBatch

Low Impact
Low Severity
Low Likelihood

Description

The function importGenesisBatch can set the batch hash and state root for index 0 (i.e., it imports the genesis batch).

function importGenesisBatch(bytes calldata _batchHeader) external onlyRole(GENESIS_IMPORTER_ROLE) {
    // [...]

    committedBatches[0] = _batchHash;
    stateRoots[0] = _postStateRoot;

    emit CommitBatch(0, _batchHash);
    emit FinalizeBatch(0, _batchHash, _postStateRoot, bytes32(0));
}

When the sequencer commits a batch, the function commitBatch does not check if the genesis batch has already been imported. It only ensures that the value of the parentBatchHash parameter is equal to committedBatches[cachedLastCommittedBatchIndex].

function commitBatch(
    uint8 version,
    bytes32 parentBatchHash,
    bytes32 postStateRoot,
    bytes32 withdrawRoot,
    bytes calldata commitment
) external onlyRole(SEQUENCER_ROLE) whenNotPaused {
    if (postStateRoot == bytes32(0)) revert ErrorStateRootIsZero();

    uint256 cachedLastCommittedBatchIndex = lastCommittedBatchIndex;
    if (parentBatchHash != committedBatches[cachedLastCommittedBatchIndex]) {
        revert ErrorIncorrectBatchHash();
    }

    cachedLastCommittedBatchIndex += 1;
    bytes memory batchHeader = BatchHeaderValidiumV0Codec.encode(
        // [...]
    );
    bytes32 batchHash = BatchHeaderValidiumV0Codec.computeBatchHash(batchHeader);

    lastCommittedBatchIndex = cachedLastCommittedBatchIndex;
    committedBatches[cachedLastCommittedBatchIndex] = batchHash;
    stateRoots[cachedLastCommittedBatchIndex] = postStateRoot;
    withdrawRoots[cachedLastCommittedBatchIndex] = withdrawRoot;

    emit CommitBatch(cachedLastCommittedBatchIndex, batchHash);
}

Impact

If the function commitBatch is successfully called before the function importGenesisBatch, the value of committedBatches[0] actually used will be 0. This will affect the hash-value calculation for subsequent batches.

Recommendations

Consider ensuring that committedBatches[cachedLastCommittedBatchIndex] is not zero in the function commitBatch.

Remediation

Zellic © 2025Back to top ↑