Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Cloak V1>Threat Model>revertBatch
GeneralOverview
Findings
Medium (2)
Low (1)
Threat ModelWhat are threat models?FastWithdrawVault.solL1ERC20GatewayValidium.solL1WETHGatewayValidium.sol
ScrollChainValidium.solgetEncryptionKeyregisterNewEncryptionKeygetLatestEncryptionKeyimportGenesisBatchcommitBatchrevertBatchfinalizeBundle
Audit ResultsAssessment Results

Function: revertBatch(bytes batchHeader)

This is an admin entry point that removes committed but unfinalized batches starting from the supplied header and rewinds lastCommittedBatchIndex.

Inputs

  • batchHeader

    • Control: Admin (DEFAULT_ADMIN_ROLE).

    • Constraints: Must decode to a batch already present in committedBatches and with an index strictly greater than lastFinalizedBatchIndex.

    • Impact: When valid, deletes batch metadata from the target index through the tip and decrements lastCommittedBatchIndex.

Branches and code coverage

Intended branches

  • Reverts when the provided batch header is not committed.

  • Reverts when attempting to revert a finalized batch.

  • Successful rollback clears storage entries.

Negative behavior

  • A caller without DEFAULT_ADMIN_ROLE reverts via onlyRole.

  • Attempting to revert the genesis batch fails earlier because it is already finalized.

Function call analysis

  • this._loadBatchHeader(batchHeader, lastBatchIndex) -> BatchHeaderValidiumV0Codec.loadAndValidate(_batchHeader)

    • What is controllable? Entire header bytes supplied by the admin.

    • If the return value is controllable, how is it used and how can it go wrong? Returns pointer/length only when the header is well-formed — malformed data reverts before state changes.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • this._loadBatchHeader(batchHeader, lastBatchIndex) -> BatchHeaderValidiumV0Codec.getBatchIndex(batchPtr)

    • What is controllable? Derived from the decoded header.

    • If the return value is controllable, how is it used and how can it go wrong? Must be ≤ lastCommittedBatchIndex — out-of-range values revert.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • this._loadBatchHeader(batchHeader, lastBatchIndex) -> BatchHeaderValidiumV0Codec.computeBatchHash(batchPtr, length)

    • What is controllable? Derived from the decoded header.

    • If the return value is controllable, how is it used and how can it go wrong? The resulting hash must match storage.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • this._loadBatchHeader(batchHeader, lastBatchIndex)

    • What is controllable? Header inputs validated above.

    • If the return value is controllable, how is it used and how can it go wrong? Returns the batch index.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

Zellic © 2025Back to top ↑