Back to Franfran's contests

zkSync Era System Contracts contest - Franfran's results

Rely on math, not validators.

General Information

Platform: Code4rena

Start Date: 10/03/2023

Pot Size: $180,500 USDC

Total HM: 6

Participants: 19

Period: 9 days

Judge: GalloDaSballo

Total Solo HM: 2

Id: 221

League: ETH

zkSync

Findings Distribution

Researcher Performance

Rank: 12/19

Findings: 1

Award: $1,968.25

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryzkSync

Findings Information

🌟 Selected for report: unforgiven

Also found by: Franfran, HE1M, bin2chen, rvierdiiev

Labels

bug
2 (Med Risk)
satisfactory
duplicate-167

Awards

1968.2509 USDC - $1,968.25

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-03-zksync/blob/main/contracts/ContractDeployer.sol#L212 https://github.com/code-423n4/2023-03-zksync/blob/main/contracts/ContractDeployer.sol#L196-L207 https://github.com/code-423n4/2023-03-zksync/blob/main/contracts/ContractDeployer.sol#L326 https://github.com/code-423n4/2023-03-zksync/blob/main/contracts/ContractDeployer.sol#L214

Vulnerability details

Impact

The forceDeployOnAddress() function in the ContractDeployer contract may be used to redeploy contracts at a specified address. Very useful in the case of precompiles or system contracts upgrades for instance. In the deployment parameters, multiple values can be set by the force deployer. Among those is the callConstructor which is responsible for calling the _constructContract(), which calls the constructor, sets the immutable values for the contract, and finally mark the contract as constructed.

The issue is that if the force deployer does not want to call the constructor, then the contract will be in this "constructing" state forever because the flag was turned on but not turned off in this condition.

Tools Used

Manual inspection

Turn the flag back off by marking the contract as "constructed" in an else block:

function forceDeployOnAddress(ForceDeployment calldata _deployment, address _sender) external payable onlySelf {
	_ensureBytecodeIsKnown(_deployment.bytecodeHash);
  _storeConstructingByteCodeHashOnAddress(_deployment.newAddress, _deployment.bytecodeHash);

  AccountInfo memory newAccountInfo;
  newAccountInfo.supportedAAVersion = AccountAbstractionVersion.None;
  // Accounts have sequential nonces by default.
  newAccountInfo.nonceOrdering = AccountNonceOrdering.Sequential;
  _storeAccountInfo(_deployment.newAddress, newAccountInfo);

	if (_deployment.callConstructor) {
		_constructContract(_sender, _deployment.newAddress, _deployment.input, false);
	} else {
		ACCOUNT_CODE_STORAGE_SYSTEM_CONTRACT.markAccountCodeHashAsConstructed(_deployment.newAddress);
	}

	emit ContractDeployed(_sender, _deployment.bytecodeHash, _deployment.newAddress);
}

#0 - c4-judge

2023-03-24T09:15:49Z

GalloDaSballo marked the issue as primary issue

#1 - GalloDaSballo

2023-03-24T09:15:53Z

Short and sweet, making primary

#2 - c4-judge

2023-03-24T09:17:50Z

GalloDaSballo marked the issue as duplicate of #167

#3 - c4-judge

2023-04-05T12:02:08Z

GalloDaSballo marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter