Taiko Alethia Inbox Verification Pointer Corruption Vulnerability

A vulnerability in Taiko Alethia's rollup implementation, specifically in the TaikoInbox contract version 2.3.1 and earlier, allows for the corruption of the verification pointer for batch transitions. The issue arises in the _verifyBatches function, where the local transition ID is advanced based on the current block hash before confirming if the batch will be verified. If the verification process is interrupted, the function still updates the verification ID for the last confirmed batch, potentially linking it to an incorrect transition. This flaw can disrupt the integrity of the batch verification chain.

Impact

Exploitation of this vulnerability leads to the incorrect linking of batch verification transitions, causing the last verified batch to reference an invalid or zeroed transition index.

Reproduction

The vulnerability can be reproduced by proposing two batches and linking their transitions, then triggering the verification process before the cooldown period for the first batch has elapsed. This will cause the verification process to incorrectly assign the transition ID from the second batch to the first, exposing the pointer corruption issue.