Back to J4de's contests

zkSync Era - J4de's results

Future-proof zkEVM on the mission to scale freedom for all.

General Information

Platform: Code4rena

Start Date: 02/10/2023

Pot Size: $1,100,000 USDC

Total HM: 28

Participants: 64

Period: 21 days

Judge: GalloDaSballo

Total Solo HM: 13

Id: 292

League: ETH

zkSync

Findings Distribution

Researcher Performance

Rank: 36/64

Findings: 2

Award: $929.90

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryzkSync

Findings Information

🌟 Selected for report: HE1M

Also found by: 0xsomeone, AkshaySrivastav, Aymen0909, J4de, Koolex, Mohandes, bin2chen, brgltd, cccz, hals, ladboy233, max10afternoon, peanuts, rvierdiiev, shealtielanz, tsvetanovv, zzzitron

Awards

273.5673 USDC - $273.57

Labels

bug
2 (Med Risk)
satisfactory
duplicate-425

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-10-zksync/blob/main/code/contracts/ethereum/contracts/bridge/L1ERC20Bridge.sol#L340-L350

Vulnerability details

Impact

Deposit Limitation

The [Deposit Limitation](https://github.com/code-423n4/2023-10-zksync/blob/main/docs/Smart contract Section/L1 smart contracts.md#deposit-limitation) mechanismis used to limit the amount of deposits each user can make to L1 Bridge. In the code, _verifyDepositLimit is generally used to update the total deposit amount of a user. For example, increase this value when deposit, and decrease this value when claimingFailedDeposit.

The BUG

TotalDepositedAmountPerUser only starts counting when limitData.depositLimitation is true. This leads to two scenarios.

  • When limitData.depositLimitation is turned on by the administrator after the user fails to deposit, the user's call to claimFailedDeposit will fail because totalDepositedAmountPerUser[_l1Token][_depositor] -= _amount will overflow. This part of the user's funds will be frozen.
  • After limitData.depositLimitation is turned on, the number of user depsoits before then will not be counted. This may not be consistent with the design intention of Deposit Limitation.

Proof of Concept

I think the first scenario is more serious, so I'll use it as an example.

  1. User call L2ERC20Bridge.deposit (100 TokenA) but the message failed on L2.
  2. Admin turn on limitData.depositLimitation.
  3. User call claimFailedDeposit. Integer overflow occurred in _verifyDepositLimit function because 0 - 100.

POC

diff --git a/code/contracts/ethereum/test/foundry/unit/concrete/Bridge/L1WethBridge/_L1WethBridge_Shared.t.sol b/code/contracts/ethereum/test/foundry/unit/concrete/Bridge/L1WethBridge/_L1WethBridge_Shared.t.sol
index df7a5d1..a1e092c 100644
--- a/code/contracts/ethereum/test/foundry/unit/concrete/Bridge/L1WethBridge/_L1WethBridge_Shared.t.sol
+++ b/code/contracts/ethereum/test/foundry/unit/concrete/Bridge/L1WethBridge/_L1WethBridge_Shared.t.sol
@@ -4,6 +4,7 @@ pragma solidity ^0.8.17;

 import {Test} from "forge-std/Test.sol";
 import {AllowList} from "../../../../../../cache/solpp-generated-contracts/common/AllowList.sol";
+import {L1ERC20Bridge} from "../../../../../../cache/solpp-generated-contracts/bridge/L1ERC20Bridge.sol";
 import {L1WethBridge} from "../../../../../../cache/solpp-generated-contracts/bridge/L1WethBridge.sol";
 import {WETH9} from "../../../../../../cache/solpp-generated-contracts/dev-contracts/WETH9.sol";
 import {GettersFacet} from "../../../../../../cache/solpp-generated-contracts/zksync/facets/Getters.sol";
@@ -24,6 +25,7 @@ contract L1WethBridgeTest is Test {
     L1WethBridge internal bridgeProxy;
     WETH9 internal l1Weth;
     bytes4 internal functionSignature = 0x6c0960f9;
+    IZkSync myZkSync;

     function setUp() public {
         owner = makeAddr("owner");
@@ -81,6 +83,7 @@ contract L1WethBridgeTest is Test {
         l1Weth = new WETH9();

         IZkSync zkSync = IZkSync(address(diamondProxy));
+        myZkSync = zkSync;

         L1WethBridge bridge = new L1WethBridge(payable(address(l1Weth)), zkSync, allowList);

@@ -108,4 +111,68 @@ contract L1WethBridgeTest is Test {
         vm.prank(owner);
         allowList.setAccessMode(address(bridgeProxy), IAllowList.AccessMode.Public);
     }
+
+    function test_ytiumzzPOC() public {
+        // init
+        L1ERC20Bridge l1ERC20Bridge;
+        L1ERC20Bridge l1ERC20BridgeImpl = new L1ERC20Bridge(myZkSync, allowList);
+
+        bytes memory garbageBytecode = abi.encodePacked(
+            bytes32(0x1111111111111111111111111111111111111111111111111111111111111111)
+        );
+        address garbageAddress = makeAddr("garbageAddress");
+
+        bytes[] memory factoryDeps = new bytes[](3);
+        factoryDeps[0] = garbageBytecode;
+        factoryDeps[1] = garbageBytecode;
+        factoryDeps[2] = garbageBytecode;
+        bytes memory bridgeInitData = abi.encodeWithSelector(
+            l1ERC20BridgeImpl.initialize.selector,
+            factoryDeps,
+            garbageAddress,
+            owner,
+            1000000000000000000,
+            1000000000000000000
+        );
+
+        ERC1967Proxy l1ERC20BridgeProxy = new ERC1967Proxy{value: 2000000000000000000}(
+            address(l1ERC20BridgeImpl),
+            bridgeInitData
+        );
+        l1ERC20Bridge = L1ERC20Bridge(payable(address(l1ERC20BridgeProxy)));
+
+        vm.prank(owner);
+        allowList.setAccessMode(address(l1ERC20Bridge), IAllowList.AccessMode.Public);
+
+        // test
+        uint256 amount = 100;
+
+        hoax(randomSigner);
+        l1Weth.deposit{value: amount}();
+
+        vm.prank(randomSigner);
+        l1Weth.approve(address(l1ERC20Bridge), amount);
+
+        vm.prank(randomSigner);
+        bytes32 l2TxHash = l1ERC20Bridge.deposit{value: 1000000000000000000}(
+            randomSigner,
+            address(l1Weth),
+            amount,
+            1000000,
+            800,
+            randomSigner
+        );
+
+        vm.prank(owner);
+        allowList.setDepositLimit(address(l1Weth), true, 100);
+
+        vm.mockCall(
+            address(myZkSync),
+            abi.encodeWithSelector(myZkSync.proveL1ToL2TransactionStatus.selector),
+            abi.encode(true)
+        );
+
+        vm.prank(randomSigner);
+        l1ERC20Bridge.claimFailedDeposit(randomSigner, address(l1Weth), l2TxHash, 0, 0, 0, new bytes32[](0));
+    }

Output

$ forge test -vvvv --match-contract L1WethBridgeTest
[] Compiling...
No files changed, compilation skipped

Running 1 test for test/foundry/unit/concrete/Bridge/L1WethBridge/_L1WethBridge_Shared.t.sol:L1WethBridgeTest
[FAIL. Reason: Arithmetic over/underflow] test_ytiumzzPOC() (gas: 2649379)
Traces:
  [7806302] L1WethBridgeTest::setUp()
    ├─ [0] VM::addr(<pk>) [staticcall]
    │   └─ ← owner: [0x7c8999dC9a822c1f0Df42023113EDB4FDd543266]
    ├─ [0] VM::label(owner: [0x7c8999dC9a822c1f0Df42023113EDB4FDd543266], owner)
    │   └─ ← ()
    ├─ [0] VM::addr(<pk>) [staticcall]
    │   └─ ← randomSigner: [0xA7B25389b5F80341454Af9b2cA15556A1AA7a045]
    ├─ [0] VM::label(randomSigner: [0xA7B25389b5F80341454Af9b2cA15556A1AA7a045], randomSigner)
    │   └─ ← ()
    ├─ [678108] → new GettersFacet@0xFEfC6BAF87cF3684058D62Da40Ff3A795946Ab06
    │   └─ ← 3387 bytes of code
    ├─ [1673957] → new MailboxFacet@0x2a9e8fa175F45b235efDdD97d2727741EF4Eee63
    │   └─ ← 8361 bytes of code
    ├─ [716980] → new AllowList@0x72384992222BE015DE0146a6D7E5dA0E19d2Ba49
    │   ├─ emit OwnershipTransferred(previousOwner: 0x0000000000000000000000000000000000000000, newOwner: L1WethBridgeTest: [0x34A1D3fff3958843C43aD80F30b94c510645C316])
    │   ├─ emit OwnershipTransferred(previousOwner: L1WethBridgeTest: [0x34A1D3fff3958843C43aD80F30b94c510645C316], newOwner: owner: [0x7c8999dC9a822c1f0Df42023113EDB4FDd543266])
    │   └─ ← 3440 bytes of code
    ├─ [287679] → new DiamondInit@0x08526067985167EcFcB1F9720C72DbBF36c96018
    │   └─ ← 1326 bytes of code
    ├─ [0] VM::addr(<pk>) [staticcall]
    │   └─ ← dummyAddress: [0x0a129850ad29f6757047c2ff42Bb34Ab4be340C4]
    ├─ [0] VM::label(dummyAddress: [0x0a129850ad29f6757047c2ff42Bb34Ab4be340C4], dummyAddress)
    │   └─ ← ()
    ├─ [6955] Utils::getGettersSelectors() [delegatecall]
    │   └─ ← [0x46657fe9, 0x4fc07d75, 0x8665b150, 0xfe26699e, 0xaf6a2dcd, 0x39607382, 0xa1954fc5, 0x79823c9a, 0x631f4bac, 0x56142d7a, 0xfacd743b, 0x9cd939e4, 0xb22dd78e, 0xd86970d8, 0xfd791f3c, 0x18e3a941, 0x29b98c67, 0x0ec6b0b7, 0xa7cd63b7, 0xbd7c5412, 0x7a0ed627, 0xadfca15e, 0x52ef6b2c, 0xcdffacc6, 0xe81e0ba1, 0xc3bbd2d7, 0xdb1f0bf9, 0xef3f0bae, 0xb8c2f66f]
    ├─ [1773] Utils::getMailboxSelectors() [delegatecall]
    │   └─ ← [0xe4948f43, 0x263b7f8e, 0x042901c7, 0x6c0960f9, 0xeb672419, 0xb473318e]
    ├─ [1438217] → new DiamondProxy@0x0F8458E544c9D4C7C25A881240727209caae20B8
    │   ├─ [210611] DiamondInit::initialize((0x0a129850ad29f6757047c2ff42Bb34Ab4be340C4, 0x7c8999dC9a822c1f0Df42023113EDB4FDd543266, 0x7c8999dC9a822c1f0Df42023113EDB4FDd543266, 0x0000000000000000000000000000000000000000000000000000000000000000, 0, 0x0000000000000000000000000000000000000000000000000000000000000000, 0x72384992222BE015DE0146a6D7E5dA0E19d2Ba49, (0x0000000000000000000000000000000000000000000000000000000000000000, 0x0000000000000000000000000000000000000000000000000000000000000000, 0x0000000000000000000000000000000000000000000000000000000000000000), false, 0x1234567890123456000000000000000000000000000000000000000000000000, 0x1234567890123456000000000000000000000000000000000000000000000000, 10000000 [1e7])) [delegatecall]
    │   │   └─ ← 0x33774e659306e47509050e97cb651e731180a42d458212294d30751925c551a2
    │   ├─ emit DiamondCut(facetCuts: [(0xFEfC6BAF87cF3684058D62Da40Ff3A795946Ab06, 0, false, [0x46657fe9, 0x4fc07d75, 0x8665b150, 0xfe26699e, 0xaf6a2dcd, 0x39607382, 0xa1954fc5, 0x79823c9a, 0x631f4bac, 0x56142d7a, 0xfacd743b, 0x9cd939e4, 0xb22dd78e, 0xd86970d8, 0xfd791f3c, 0x18e3a941, 0x29b98c67, 0x0ec6b0b7, 0xa7cd63b7, 0xbd7c5412, 0x7a0ed627, 0xadfca15e, 0x52ef6b2c, 0xcdffacc6, 0xe81e0ba1, 0xc3bbd2d7, 0xdb1f0bf9, 0xef3f0bae, 0xb8c2f66f]), (0x2a9e8fa175F45b235efDdD97d2727741EF4Eee63, 0, true, [0xe4948f43, 0x263b7f8e, 0x042901c7, 0x6c0960f9, 0xeb672419, 0xb473318e])], initAddress: DiamondInit: [0x08526067985167EcFcB1F9720C72DbBF36c96018], initCalldata: 0x971824cf0000000000000000000000000a129850ad29f6757047c2ff42bb34ab4be340c40000000000000000000000007c8999dc9a822c1f0df42023113edb4fdd5432660000000000000000000000007c8999dc9a822c1f0df42023113edb4fdd54326600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000072384992222be015de0146a6d7e5da0e19d2ba490000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000123456789012345600000000000000000000000000000000000000000000000012345678901234560000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000989680)
    │   └─ ← 403 bytes of code
    ├─ [0] VM::prank(owner: [0x7c8999dC9a822c1f0Df42023113EDB4FDd543266])
    │   └─ ← ()
    ├─ [25113] AllowList::setAccessMode(DiamondProxy: [0x0F8458E544c9D4C7C25A881240727209caae20B8], 2)
    │   ├─ emit UpdateAccessMode(target: DiamondProxy: [0x0F8458E544c9D4C7C25A881240727209caae20B8], previousMode: 0, newMode: 2)
    │   └─ ← ()
    ├─ [464065] → new WETH9@0x4d04375eCD86c2B81eb0F55B37aA3fAb41CeCBc4
    │   └─ ← 1982 bytes of code
    ├─ [1743572] → new L1WethBridge@0x7b0AA1e6Fcd181d45C94ac62901722231074d8d4
    │   └─ ← 8594 bytes of code
    ├─ [0] VM::addr(<pk>) [staticcall]
    │   └─ ← garbageAddress: [0x89b214F423c279427E39563722Df305aF13d5ef6]
    ├─ [0] VM::label(garbageAddress: [0x89b214F423c279427E39563722Df305aF13d5ef6], garbageAddress)
    │   └─ ← ()
    ├─ [335784] → new ERC1967Proxy@0x87B2d08110B7D50861141D7bBDd49326af3Ecb31
    │   ├─ emit Upgraded(implementation: L1WethBridge: [0x7b0AA1e6Fcd181d45C94ac62901722231074d8d4])
    │   ├─ [273436] L1WethBridge::initialize([0x1111111111111111111111111111111111111111111111111111111111111111, 0x1111111111111111111111111111111111111111111111111111111111111111], garbageAddress: [0x89b214F423c279427E39563722Df305aF13d5ef6], owner: [0x7c8999dC9a822c1f0Df42023113EDB4FDd543266], 1000000000000000000 [1e18], 1000000000000000000 [1e18]) [delegatecall]
    │   │   ├─ [72] PRECOMPILE::sha256(1111111111111111111111111111111111111111111111111111111111111111) [staticcall]
    │   │   │   └─ ← 0x02d449a31fbb267c8f352e9968a79e3e5fc95c1bbeaa502fd6454ebde5a4bedc
    │   │   ├─ [72] PRECOMPILE::sha256(1111111111111111111111111111111111111111111111111111111111111111) [staticcall]
    │   │   │   └─ ← 0x02d449a31fbb267c8f352e9968a79e3e5fc95c1bbeaa502fd6454ebde5a4bedc
    │   │   ├─ [106181] DiamondProxy::requestL2Transaction{value: 1000000000000000000}(0x0000000000000000000000000000000000008006, 0, 0x3cda33510000000000000000000000000000000000000000000000000000000000000000010000011fbb267c8f352e9968a79e3e5fc95c1bbeaa502fd6454ebde5a4bedc00000000000000000000000000000000000000000000000000000000000000600000000000000000000000000000000000000000000000000000000000000000, 10000000 [1e7], 800, [0x1111111111111111111111111111111111111111111111111111111111111111, 0x1111111111111111111111111111111111111111111111111111111111111111], L1WethBridgeTest: [0x34A1D3fff3958843C43aD80F30b94c510645C316])
    │   │   │   ├─ [103285] MailboxFacet::requestL2Transaction(0x0000000000000000000000000000000000008006, 0, 0x3cda33510000000000000000000000000000000000000000000000000000000000000000010000011fbb267c8f352e9968a79e3e5fc95c1bbeaa502fd6454ebde5a4bedc00000000000000000000000000000000000000000000000000000000000000600000000000000000000000000000000000000000000000000000000000000000, 10000000 [1e7], 800, [0x1111111111111111111111111111111111111111111111111111111111111111, 0x1111111111111111111111111111111111111111111111111111111111111111], L1WethBridgeTest: [0x34A1D3fff3958843C43aD80F30b94c510645C316]) [delegatecall]
    │   │   │   │   ├─ [907] AllowList::canCall(ERC1967Proxy: [0x87B2d08110B7D50861141D7bBDd49326af3Ecb31], DiamondProxy: [0x0F8458E544c9D4C7C25A881240727209caae20B8], 0xeb672419) [staticcall]
    │   │   │   │   │   └─ ← true
    │   │   │   │   ├─ [4848] AllowList::getTokenDepositLimitData(0x0000000000000000000000000000000000000000) [staticcall]
    │   │   │   │   │   └─ ← (false, 0)
    │   │   │   │   ├─ [72] PRECOMPILE::sha256(1111111111111111111111111111111111111111111111111111111111111111) [staticcall]
    │   │   │   │   │   └─ ← 0x02d449a31fbb267c8f352e9968a79e3e5fc95c1bbeaa502fd6454ebde5a4bedc
    │   │   │   │   ├─ [72] PRECOMPILE::sha256(1111111111111111111111111111111111111111111111111111111111111111) [staticcall]
    │   │   │   │   │   └─ ← 0x02d449a31fbb267c8f352e9968a79e3e5fc95c1bbeaa502fd6454ebde5a4bedc
    │   │   │   │   ├─ emit NewPriorityRequest(txId: 0, txHash: 0x5920af9d0fbd390d607dfdb6761102ad9d406586bd5880f2197f3b71f104c390, expirationTimestamp: 1, transaction: (255, 872133405753058377203187388077596362510180473922 [8.721e47], 32774 [3.277e4], 10000000 [1e7], 800, 500000000 [5e8], 0, 0, 0, 0, [1000000000000000000 [1e18], 397908363620297363327010337672970094883696399399 [3.979e47], 0, 0], 0x3cda33510000000000000000000000000000000000000000000000000000000000000000010000011fbb267c8f352e9968a79e3e5fc95c1bbeaa502fd6454ebde5a4bedc00000000000000000000000000000000000000000000000000000000000000600000000000000000000000000000000000000000000000000000000000000000, 0x, [452312878884883280821743778373067939435164876814260268784515713542320864988 [4.523e74], 452312878884883280821743778373067939435164876814260268784515713542320864988 [4.523e74]], 0x, 0x), factoryDeps: [0x1111111111111111111111111111111111111111111111111111111111111111, 0x1111111111111111111111111111111111111111111111111111111111111111])
    │   │   │   │   └─ ← 0x5920af9d0fbd390d607dfdb6761102ad9d406586bd5880f2197f3b71f104c390
    │   │   │   └─ ← 0x5920af9d0fbd390d607dfdb6761102ad9d406586bd5880f2197f3b71f104c390
    │   │   ├─ [75518] DiamondProxy::requestL2Transaction{value: 1000000000000000000}(0x0000000000000000000000000000000000008006, 0, 0x3cda33510000000000000000000000000000000000000000000000000000000000000000010000011fbb267c8f352e9968a79e3e5fc95c1bbeaa502fd6454ebde5a4bedc00000000000000000000000000000000000000000000000000000000000000600000000000000000000000000000000000000000000000000000000000000100000000000000000000000000cb2fcaa27581763bb3813227499278ed027c79d80000000000000000000000007c8999dc9a822c1f0df42023113edb4fdd54326600000000000000000000000000000000000000000000000000000000000000600000000000000000000000000000000000000000000000000000000000000064c0c53b8b00000000000000000000000087b2d08110b7d50861141d7bbdd49326af3ecb310000000000000000000000004d04375ecd86c2b81eb0f55b37aa3fab41cecbc400000000000000000000000089b214f423c279427e39563722df305af13d5ef600000000000000000000000000000000000000000000000000000000, 10000000 [1e7], 800, [], L1WethBridgeTest: [0x34A1D3fff3958843C43aD80F30b94c510645C316])
    │   │   │   ├─ [74610] MailboxFacet::requestL2Transaction(0x0000000000000000000000000000000000008006, 0, 0x3cda33510000000000000000000000000000000000000000000000000000000000000000010000011fbb267c8f352e9968a79e3e5fc95c1bbeaa502fd6454ebde5a4bedc00000000000000000000000000000000000000000000000000000000000000600000000000000000000000000000000000000000000000000000000000000100000000000000000000000000cb2fcaa27581763bb3813227499278ed027c79d80000000000000000000000007c8999dc9a822c1f0df42023113edb4fdd54326600000000000000000000000000000000000000000000000000000000000000600000000000000000000000000000000000000000000000000000000000000064c0c53b8b00000000000000000000000087b2d08110b7d50861141d7bbdd49326af3ecb310000000000000000000000004d04375ecd86c2b81eb0f55b37aa3fab41cecbc400000000000000000000000089b214f423c279427e39563722df305af13d5ef600000000000000000000000000000000000000000000000000000000, 10000000 [1e7], 800, [], L1WethBridgeTest: [0x34A1D3fff3958843C43aD80F30b94c510645C316]) [delegatecall]
    │   │   │   │   ├─ [907] AllowList::canCall(ERC1967Proxy: [0x87B2d08110B7D50861141D7bBDd49326af3Ecb31], DiamondProxy: [0x0F8458E544c9D4C7C25A881240727209caae20B8], 0xeb672419) [staticcall]
    │   │   │   │   │   └─ ← true
    │   │   │   │   ├─ [848] AllowList::getTokenDepositLimitData(0x0000000000000000000000000000000000000000) [staticcall]
    │   │   │   │   │   └─ ← (false, 0)
    │   │   │   │   ├─ emit NewPriorityRequest(txId: 1, txHash: 0x54cbccb15cd53a50b7dde027c545ee7b797eab2d364477423f3141a91b0e4922, expirationTimestamp: 1, transaction: (255, 872133405753058377203187388077596362510180473922 [8.721e47], 32774 [3.277e4], 10000000 [1e7], 800, 500000000 [5e8], 0, 0, 1, 0, [1000000000000000000 [1e18], 397908363620297363327010337672970094883696399399 [3.979e47], 0, 0], 0x3cda33510000000000000000000000000000000000000000000000000000000000000000010000011fbb267c8f352e9968a79e3e5fc95c1bbeaa502fd6454ebde5a4bedc00000000000000000000000000000000000000000000000000000000000000600000000000000000000000000000000000000000000000000000000000000100000000000000000000000000cb2fcaa27581763bb3813227499278ed027c79d80000000000000000000000007c8999dc9a822c1f0df42023113edb4fdd54326600000000000000000000000000000000000000000000000000000000000000600000000000000000000000000000000000000000000000000000000000000064c0c53b8b00000000000000000000000087b2d08110b7d50861141d7bbdd49326af3ecb310000000000000000000000004d04375ecd86c2b81eb0f55b37aa3fab41cecbc400000000000000000000000089b214f423c279427e39563722df305af13d5ef600000000000000000000000000000000000000000000000000000000, 0x, [], 0x, 0x), factoryDeps: [])
    │   │   │   │   └─ ← 0x54cbccb15cd53a50b7dde027c545ee7b797eab2d364477423f3141a91b0e4922
    │   │   │   └─ ← 0x54cbccb15cd53a50b7dde027c545ee7b797eab2d364477423f3141a91b0e4922
    │   │   └─ ← ()
    │   └─ ← 177 bytes of code
    ├─ [0] VM::prank(owner: [0x7c8999dC9a822c1f0Df42023113EDB4FDd543266])
    │   └─ ← ()
    ├─ [25113] AllowList::setAccessMode(ERC1967Proxy: [0x87B2d08110B7D50861141D7bBDd49326af3Ecb31], 2)
    │   ├─ emit UpdateAccessMode(target: ERC1967Proxy: [0x87B2d08110B7D50861141D7bBDd49326af3Ecb31], previousMode: 0, newMode: 2)
    │   └─ ← ()
    └─ ← ()

  [2601179] L1WethBridgeTest::test_ytiumzzPOC()
    ├─ [1879012] → new L1ERC20Bridge@0x26aFF6f249fDF81492cA987e78f1146296c727b4
    │   └─ ← 9272 bytes of code
    ├─ [0] VM::addr(<pk>) [staticcall]
    │   └─ ← garbageAddress: [0x89b214F423c279427E39563722Df305aF13d5ef6]
    ├─ [0] VM::label(garbageAddress: [0x89b214F423c279427E39563722Df305aF13d5ef6], garbageAddress)
    │   └─ ← ()
    ├─ [363943] → new ERC1967Proxy@0x0F4ee068d0b31250a2BC9A1Fe4Ccc18431920cad
    │   ├─ emit Upgraded(implementation: L1ERC20Bridge: [0x26aFF6f249fDF81492cA987e78f1146296c727b4])
    │   ├─ [301155] L1ERC20Bridge::initialize([0x1111111111111111111111111111111111111111111111111111111111111111, 0x1111111111111111111111111111111111111111111111111111111111111111, 0x1111111111111111111111111111111111111111111111111111111111111111], garbageAddress: [0x89b214F423c279427E39563722Df305aF13d5ef6], owner: [0x7c8999dC9a822c1f0Df42023113EDB4FDd543266], 1000000000000000000 [1e18], 1000000000000000000 [1e18]) [delegatecall]
    │   │   ├─ [72] PRECOMPILE::sha256(1111111111111111111111111111111111111111111111111111111111111111) [staticcall]
    │   │   │   └─ ← 0x02d449a31fbb267c8f352e9968a79e3e5fc95c1bbeaa502fd6454ebde5a4bedc
    │   │   ├─ [72] PRECOMPILE::sha256(1111111111111111111111111111111111111111111111111111111111111111) [staticcall]
    │   │   │   └─ ← 0x02d449a31fbb267c8f352e9968a79e3e5fc95c1bbeaa502fd6454ebde5a4bedc
    │   │   ├─ [72] PRECOMPILE::sha256(1111111111111111111111111111111111111111111111111111111111111111) [staticcall]
    │   │   │   └─ ← 0x02d449a31fbb267c8f352e9968a79e3e5fc95c1bbeaa502fd6454ebde5a4bedc
    │   │   ├─ [107109] DiamondProxy::requestL2Transaction{value: 1000000000000000000}(0x0000000000000000000000000000000000008006, 0, 0x3cda33510000000000000000000000000000000000000000000000000000000000000000010000011fbb267c8f352e9968a79e3e5fc95c1bbeaa502fd6454ebde5a4bedc00000000000000000000000000000000000000000000000000000000000000600000000000000000000000000000000000000000000000000000000000000000, 10000000 [1e7], 800, [0x1111111111111111111111111111111111111111111111111111111111111111, 0x1111111111111111111111111111111111111111111111111111111111111111, 0x1111111111111111111111111111111111111111111111111111111111111111], L1WethBridgeTest: [0x34A1D3fff3958843C43aD80F30b94c510645C316])
    │   │   │   ├─ [99695] MailboxFacet::requestL2Transaction(0x0000000000000000000000000000000000008006, 0, 0x3cda33510000000000000000000000000000000000000000000000000000000000000000010000011fbb267c8f352e9968a79e3e5fc95c1bbeaa502fd6454ebde5a4bedc00000000000000000000000000000000000000000000000000000000000000600000000000000000000000000000000000000000000000000000000000000000, 10000000 [1e7], 800, [0x1111111111111111111111111111111111111111111111111111111111111111, 0x1111111111111111111111111111111111111111111111111111111111111111, 0x1111111111111111111111111111111111111111111111111111111111111111], L1WethBridgeTest: [0x34A1D3fff3958843C43aD80F30b94c510645C316]) [delegatecall]
    │   │   │   │   ├─ [2907] AllowList::canCall(ERC1967Proxy: [0x0F4ee068d0b31250a2BC9A1Fe4Ccc18431920cad], DiamondProxy: [0x0F8458E544c9D4C7C25A881240727209caae20B8], 0xeb672419) [staticcall]
    │   │   │   │   │   └─ ← true
    │   │   │   │   ├─ [4848] AllowList::getTokenDepositLimitData(0x0000000000000000000000000000000000000000) [staticcall]
    │   │   │   │   │   └─ ← (false, 0)
    │   │   │   │   ├─ [72] PRECOMPILE::sha256(1111111111111111111111111111111111111111111111111111111111111111) [staticcall]
    │   │   │   │   │   └─ ← 0x02d449a31fbb267c8f352e9968a79e3e5fc95c1bbeaa502fd6454ebde5a4bedc
    │   │   │   │   ├─ [72] PRECOMPILE::sha256(1111111111111111111111111111111111111111111111111111111111111111) [staticcall]
    │   │   │   │   │   └─ ← 0x02d449a31fbb267c8f352e9968a79e3e5fc95c1bbeaa502fd6454ebde5a4bedc
    │   │   │   │   ├─ [72] PRECOMPILE::sha256(1111111111111111111111111111111111111111111111111111111111111111) [staticcall]
    │   │   │   │   │   └─ ← 0x02d449a31fbb267c8f352e9968a79e3e5fc95c1bbeaa502fd6454ebde5a4bedc
    │   │   │   │   ├─ emit NewPriorityRequest(txId: 2, txHash: 0x2f807f075c7640df1a78278bae4293e39231cf5fdee1a2b8641411486a52c059, expirationTimestamp: 1, transaction: (255, 184825824279047363779686221328517822673579023806 [1.848e47], 32774 [3.277e4], 10000000 [1e7], 800, 500000000 [5e8], 0, 0, 2, 0, [1000000000000000000 [1e18], 397908363620297363327010337672970094883696399399 [3.979e47], 0, 0], 0x3cda33510000000000000000000000000000000000000000000000000000000000000000010000011fbb267c8f352e9968a79e3e5fc95c1bbeaa502fd6454ebde5a4bedc00000000000000000000000000000000000000000000000000000000000000600000000000000000000000000000000000000000000000000000000000000000, 0x, [452312878884883280821743778373067939435164876814260268784515713542320864988 [4.523e74], 452312878884883280821743778373067939435164876814260268784515713542320864988 [4.523e74], 452312878884883280821743778373067939435164876814260268784515713542320864988 [4.523e74]], 0x, 0x), factoryDeps: [0x1111111111111111111111111111111111111111111111111111111111111111, 0x1111111111111111111111111111111111111111111111111111111111111111, 0x1111111111111111111111111111111111111111111111111111111111111111])
    │   │   │   │   └─ ← 0x2f807f075c7640df1a78278bae4293e39231cf5fdee1a2b8641411486a52c059
    │   │   │   └─ ← 0x2f807f075c7640df1a78278bae4293e39231cf5fdee1a2b8641411486a52c059
    │   │   ├─ [75518] DiamondProxy::requestL2Transaction{value: 1000000000000000000}(0x0000000000000000000000000000000000008006, 0, 0x3cda33510000000000000000000000000000000000000000000000000000000000000000010000011fbb267c8f352e9968a79e3e5fc95c1bbeaa502fd6454ebde5a4bedc000000000000000000000000000000000000000000000000000000000000006000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000def0bebbf8c9f734247c0c67196f48a830e206d0000000000000000000000007c8999dc9a822c1f0df42023113edb4fdd54326600000000000000000000000000000000000000000000000000000000000000600000000000000000000000000000000000000000000000000000000000000064d26b3e6e0000000000000000000000000f4ee068d0b31250a2bc9a1fe4ccc18431920cad010000011fbb267c8f352e9968a79e3e5fc95c1bbeaa502fd6454ebde5a4bedc0000000000000000000000007c8999dc9a822c1f0df42023113edb4fdd54326600000000000000000000000000000000000000000000000000000000, 10000000 [1e7], 800, [], L1WethBridgeTest: [0x34A1D3fff3958843C43aD80F30b94c510645C316])
    │   │   │   ├─ [74610] MailboxFacet::requestL2Transaction(0x0000000000000000000000000000000000008006, 0, 0x3cda33510000000000000000000000000000000000000000000000000000000000000000010000011fbb267c8f352e9968a79e3e5fc95c1bbeaa502fd6454ebde5a4bedc000000000000000000000000000000000000000000000000000000000000006000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000def0bebbf8c9f734247c0c67196f48a830e206d0000000000000000000000007c8999dc9a822c1f0df42023113edb4fdd54326600000000000000000000000000000000000000000000000000000000000000600000000000000000000000000000000000000000000000000000000000000064d26b3e6e0000000000000000000000000f4ee068d0b31250a2bc9a1fe4ccc18431920cad010000011fbb267c8f352e9968a79e3e5fc95c1bbeaa502fd6454ebde5a4bedc0000000000000000000000007c8999dc9a822c1f0df42023113edb4fdd54326600000000000000000000000000000000000000000000000000000000, 10000000 [1e7], 800, [], L1WethBridgeTest: [0x34A1D3fff3958843C43aD80F30b94c510645C316]) [delegatecall]
    │   │   │   │   ├─ [907] AllowList::canCall(ERC1967Proxy: [0x0F4ee068d0b31250a2BC9A1Fe4Ccc18431920cad], DiamondProxy: [0x0F8458E544c9D4C7C25A881240727209caae20B8], 0xeb672419) [staticcall]
    │   │   │   │   │   └─ ← true
    │   │   │   │   ├─ [848] AllowList::getTokenDepositLimitData(0x0000000000000000000000000000000000000000) [staticcall]
    │   │   │   │   │   └─ ← (false, 0)
    │   │   │   │   ├─ emit NewPriorityRequest(txId: 3, txHash: 0x4223315e43b161ee025ea772debc54b4fe3ff745a04cd15b2559fb4083b8972d, expirationTimestamp: 1, transaction: (255, 184825824279047363779686221328517822673579023806 [1.848e47], 32774 [3.277e4], 10000000 [1e7], 800, 500000000 [5e8], 0, 0, 3, 0, [1000000000000000000 [1e18], 397908363620297363327010337672970094883696399399 [3.979e47], 0, 0], 0x3cda33510000000000000000000000000000000000000000000000000000000000000000010000011fbb267c8f352e9968a79e3e5fc95c1bbeaa502fd6454ebde5a4bedc000000000000000000000000000000000000000000000000000000000000006000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000def0bebbf8c9f734247c0c67196f48a830e206d0000000000000000000000007c8999dc9a822c1f0df42023113edb4fdd54326600000000000000000000000000000000000000000000000000000000000000600000000000000000000000000000000000000000000000000000000000000064d26b3e6e0000000000000000000000000f4ee068d0b31250a2bc9a1fe4ccc18431920cad010000011fbb267c8f352e9968a79e3e5fc95c1bbeaa502fd6454ebde5a4bedc0000000000000000000000007c8999dc9a822c1f0df42023113edb4fdd54326600000000000000000000000000000000000000000000000000000000, 0x, [], 0x, 0x), factoryDeps: [])
    │   │   │   │   └─ ← 0x4223315e43b161ee025ea772debc54b4fe3ff745a04cd15b2559fb4083b8972d
    │   │   │   └─ ← 0x4223315e43b161ee025ea772debc54b4fe3ff745a04cd15b2559fb4083b8972d
    │   │   └─ ← ()
    │   └─ ← 177 bytes of code
    ├─ [0] VM::prank(owner: [0x7c8999dC9a822c1f0Df42023113EDB4FDd543266])
    │   └─ ← ()
    ├─ [27113] AllowList::setAccessMode(ERC1967Proxy: [0x0F4ee068d0b31250a2BC9A1Fe4Ccc18431920cad], 2)
    │   ├─ emit UpdateAccessMode(target: ERC1967Proxy: [0x0F4ee068d0b31250a2BC9A1Fe4Ccc18431920cad], previousMode: 0, newMode: 2)
    │   └─ ← ()
    ├─ [0] VM::deal(randomSigner: [0xA7B25389b5F80341454Af9b2cA15556A1AA7a045], 340282366920938463463374607431768211456 [3.402e38])
    │   └─ ← ()
    ├─ [0] VM::prank(randomSigner: [0xA7B25389b5F80341454Af9b2cA15556A1AA7a045])
    │   └─ ← ()
    ├─ [23914] WETH9::deposit{value: 100}()
    │   ├─ emit Deposit(dst: randomSigner: [0xA7B25389b5F80341454Af9b2cA15556A1AA7a045], wad: 100)
    │   └─ ← ()
    ├─ [0] VM::prank(randomSigner: [0xA7B25389b5F80341454Af9b2cA15556A1AA7a045])
    │   └─ ← ()
    ├─ [24523] WETH9::approve(ERC1967Proxy: [0x0F4ee068d0b31250a2BC9A1Fe4Ccc18431920cad], 100)
    │   ├─ emit Approval(owner: randomSigner: [0xA7B25389b5F80341454Af9b2cA15556A1AA7a045], spender: ERC1967Proxy: [0x0F4ee068d0b31250a2BC9A1Fe4Ccc18431920cad], value: 100)
    │   └─ ← true
    ├─ [0] VM::prank(randomSigner: [0xA7B25389b5F80341454Af9b2cA15556A1AA7a045])
    │   └─ ← ()
    ├─ [133812] ERC1967Proxy::deposit{value: 1000000000000000000}(randomSigner: [0xA7B25389b5F80341454Af9b2cA15556A1AA7a045], WETH9: [0x4d04375eCD86c2B81eb0F55B37aA3fAb41CeCBc4], 100, 1000000 [1e6], 800, randomSigner: [0xA7B25389b5F80341454Af9b2cA15556A1AA7a045])
    │   ├─ [133472] L1ERC20Bridge::deposit(randomSigner: [0xA7B25389b5F80341454Af9b2cA15556A1AA7a045], WETH9: [0x4d04375eCD86c2B81eb0F55B37aA3fAb41CeCBc4], 100, 1000000 [1e6], 800, randomSigner: [0xA7B25389b5F80341454Af9b2cA15556A1AA7a045]) [delegatecall]
    │   │   ├─ [907] AllowList::canCall(randomSigner: [0xA7B25389b5F80341454Af9b2cA15556A1AA7a045], ERC1967Proxy: [0x0F4ee068d0b31250a2BC9A1Fe4Ccc18431920cad], 0xe8b99b1b) [staticcall]
    │   │   │   └─ ← true
    │   │   ├─ [2541] WETH9::balanceOf(ERC1967Proxy: [0x0F4ee068d0b31250a2BC9A1Fe4Ccc18431920cad]) [staticcall]
    │   │   │   └─ ← 0
    │   │   ├─ [19531] WETH9::transferFrom(randomSigner: [0xA7B25389b5F80341454Af9b2cA15556A1AA7a045], ERC1967Proxy: [0x0F4ee068d0b31250a2BC9A1Fe4Ccc18431920cad], 100)
    │   │   │   ├─ emit Transfer(from: randomSigner: [0xA7B25389b5F80341454Af9b2cA15556A1AA7a045], to: ERC1967Proxy: [0x0F4ee068d0b31250a2BC9A1Fe4Ccc18431920cad], value: 100)
    │   │   │   └─ ← true
    │   │   ├─ [541] WETH9::balanceOf(ERC1967Proxy: [0x0F4ee068d0b31250a2BC9A1Fe4Ccc18431920cad]) [staticcall]
    │   │   │   └─ ← 100
    │   │   ├─ [4848] AllowList::getTokenDepositLimitData(WETH9: [0x4d04375eCD86c2B81eb0F55B37aA3fAb41CeCBc4]) [staticcall]
    │   │   │   └─ ← (false, 0)
    │   │   ├─ [3170] WETH9::name() [staticcall]
    │   │   │   └─ ← Wrapped Ether
    │   │   ├─ [3213] WETH9::symbol() [staticcall]
    │   │   │   └─ ← WETH
    │   │   ├─ [2313] WETH9::decimals() [staticcall]
    │   │   │   └─ ← 18
    │   │   ├─ [78413] DiamondProxy::requestL2Transaction{value: 1000000000000000000}(0x66a041cC039EF907bCBe95751e6C54A6f776F0D2, 0, 0xcfe7af7c000000000000000000000000a7b25389b5f80341454af9b2ca15556a1aa7a045000000000000000000000000a7b25389b5f80341454af9b2ca15556a1aa7a0450000000000000000000000004d04375ecd86c2b81eb0f55b37aa3fab41cecbc4000000000000000000000000000000000000000000000000000000000000006400000000000000000000000000000000000000000000000000000000000000a000000000000000000000000000000000000000000000000000000000000001a0000000000000000000000000000000000000000000000000000000000000006000000000000000000000000000000000000000000000000000000000000000e0000000000000000000000000000000000000000000000000000000000000016000000000000000000000000000000000000000000000000000000000000000600000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000000d5772617070656420457468657200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006000000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000004574554480000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000012, 1000000 [1e6], 800, [], randomSigner: [0xA7B25389b5F80341454Af9b2cA15556A1AA7a045])
    │   │   │   ├─ [77462] MailboxFacet::requestL2Transaction(0x66a041cC039EF907bCBe95751e6C54A6f776F0D2, 0, 0xcfe7af7c000000000000000000000000a7b25389b5f80341454af9b2ca15556a1aa7a045000000000000000000000000a7b25389b5f80341454af9b2ca15556a1aa7a0450000000000000000000000004d04375ecd86c2b81eb0f55b37aa3fab41cecbc4000000000000000000000000000000000000000000000000000000000000006400000000000000000000000000000000000000000000000000000000000000a000000000000000000000000000000000000000000000000000000000000001a0000000000000000000000000000000000000000000000000000000000000006000000000000000000000000000000000000000000000000000000000000000e0000000000000000000000000000000000000000000000000000000000000016000000000000000000000000000000000000000000000000000000000000000600000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000000d5772617070656420457468657200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006000000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000004574554480000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000012, 1000000 [1e6], 800, [], randomSigner: [0xA7B25389b5F80341454Af9b2cA15556A1AA7a045]) [delegatecall]
    │   │   │   │   ├─ [907] AllowList::canCall(ERC1967Proxy: [0x0F4ee068d0b31250a2BC9A1Fe4Ccc18431920cad], DiamondProxy: [0x0F8458E544c9D4C7C25A881240727209caae20B8], 0xeb672419) [staticcall]
    │   │   │   │   │   └─ ← true
    │   │   │   │   ├─ [848] AllowList::getTokenDepositLimitData(0x0000000000000000000000000000000000000000) [staticcall]
    │   │   │   │   │   └─ ← (false, 0)
    │   │   │   │   ├─ emit NewPriorityRequest(txId: 4, txHash: 0x1b772af892bc9024fc49b65e2dc91171a01a72791c11fee4cd10022da60222d5, expirationTimestamp: 1, transaction: (255, 184825824279047363779686221328517822673579023806 [1.848e47], 585890909576798065285910248335917376669429985490 [5.858e47], 1000000 [1e6], 800, 500000000 [5e8], 0, 0, 4, 0, [1000000000000000000 [1e18], 957378268553214278611660439696092555084711829573 [9.573e47], 0, 0], 0xcfe7af7c000000000000000000000000a7b25389b5f80341454af9b2ca15556a1aa7a045000000000000000000000000a7b25389b5f80341454af9b2ca15556a1aa7a0450000000000000000000000004d04375ecd86c2b81eb0f55b37aa3fab41cecbc4000000000000000000000000000000000000000000000000000000000000006400000000000000000000000000000000000000000000000000000000000000a000000000000000000000000000000000000000000000000000000000000001a0000000000000000000000000000000000000000000000000000000000000006000000000000000000000000000000000000000000000000000000000000000e0000000000000000000000000000000000000000000000000000000000000016000000000000000000000000000000000000000000000000000000000000000600000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000000d5772617070656420457468657200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006000000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000004574554480000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000012, 0x, [], 0x, 0x), factoryDeps: [])
    │   │   │   │   └─ ← 0x1b772af892bc9024fc49b65e2dc91171a01a72791c11fee4cd10022da60222d5
    │   │   │   └─ ← 0x1b772af892bc9024fc49b65e2dc91171a01a72791c11fee4cd10022da60222d5
    │   │   ├─ emit DepositInitiated(l2DepositTxHash: 0x1b772af892bc9024fc49b65e2dc91171a01a72791c11fee4cd10022da60222d5, from: randomSigner: [0xA7B25389b5F80341454Af9b2cA15556A1AA7a045], to: randomSigner: [0xA7B25389b5F80341454Af9b2cA15556A1AA7a045], l1Token: WETH9: [0x4d04375eCD86c2B81eb0F55B37aA3fAb41CeCBc4], amount: 100)
    │   │   └─ ← 0x1b772af892bc9024fc49b65e2dc91171a01a72791c11fee4cd10022da60222d5
    │   └─ ← 0x1b772af892bc9024fc49b65e2dc91171a01a72791c11fee4cd10022da60222d5
    ├─ [0] VM::prank(owner: [0x7c8999dC9a822c1f0Df42023113EDB4FDd543266])
    │   └─ ← ()
    ├─ [40903] AllowList::setDepositLimit(WETH9: [0x4d04375eCD86c2B81eb0F55B37aA3fAb41CeCBc4], true, 100)
    │   └─ ← ()
    ├─ [0] VM::mockCall(DiamondProxy: [0x0F8458E544c9D4C7C25A881240727209caae20B8], 0x042901c7, 0x0000000000000000000000000000000000000000000000000000000000000001)
    │   └─ ← ()
    ├─ [0] VM::prank(randomSigner: [0xA7B25389b5F80341454Af9b2cA15556A1AA7a045])
    │   └─ ← ()
    ├─ [8097] ERC1967Proxy::claimFailedDeposit(randomSigner: [0xA7B25389b5F80341454Af9b2cA15556A1AA7a045], WETH9: [0x4d04375eCD86c2B81eb0F55B37aA3fAb41CeCBc4], 0x1b772af892bc9024fc49b65e2dc91171a01a72791c11fee4cd10022da60222d5, 0, 0, 0, [])
    │   ├─ [7656] L1ERC20Bridge::claimFailedDeposit(randomSigner: [0xA7B25389b5F80341454Af9b2cA15556A1AA7a045], WETH9: [0x4d04375eCD86c2B81eb0F55B37aA3fAb41CeCBc4], 0x1b772af892bc9024fc49b65e2dc91171a01a72791c11fee4cd10022da60222d5, 0, 0, 0, []) [delegatecall]
    │   │   ├─ [907] AllowList::canCall(randomSigner: [0xA7B25389b5F80341454Af9b2cA15556A1AA7a045], ERC1967Proxy: [0x0F4ee068d0b31250a2BC9A1Fe4Ccc18431920cad], 0x19fa7f62) [staticcall]
    │   │   │   └─ ← true
    │   │   ├─ [0] DiamondProxy::proveL1ToL2TransactionStatus(0x1b772af892bc9024fc49b65e2dc91171a01a72791c11fee4cd10022da60222d5, 0, 0, 0, [], 0) [staticcall]
    │   │   │   └─ ← true
    │   │   ├─ [848] AllowList::getTokenDepositLimitData(WETH9: [0x4d04375eCD86c2B81eb0F55B37aA3fAb41CeCBc4]) [staticcall]
    │   │   │   └─ ← (true, 100)
    │   │   └─ ← "Arithmetic over/underflow"
    │   └─ ← "Arithmetic over/underflow"
    └─ ← "Arithmetic over/underflow"

Test result: FAILED. 0 passed; 1 failed; 0 skipped; finished in 12.95ms

Ran 1 test suites: 0 tests passed, 1 failed, 0 skipped (1 total tests)

Failing tests:
Encountered 1 failing test in test/foundry/unit/concrete/Bridge/L1WethBridge/_L1WethBridge_Shared.t.sol:L1WethBridgeTest
[FAIL. Reason: Arithmetic over/underflow] test_ytiumzzPOC() (gas: 2649379)

Encountered a total of 1 failing tests, 0 tests succeeded

Tools Used

Manual

    function _verifyDepositLimit(address _l1Token, address _depositor, uint256 _amount, bool _claiming) internal {
        IAllowList.Deposit memory limitData = IAllowList(allowList).getTokenDepositLimitData(_l1Token);
-       if (!limitData.depositLimitation) return; // no deposit limitation is placed for this token

        if (_claiming) {
            totalDepositedAmountPerUser[_l1Token][_depositor] -= _amount;
        } else {
-           require(totalDepositedAmountPerUser[_l1Token][_depositor] + _amount <= limitData.depositCap, "d1");
+           if (limitData.depositLimitation) {
+               require(totalDepositedAmountPerUser[_l1Token][_depositor] + _amount <= limitData.depositCap, "d1");
+           }
            totalDepositedAmountPerUser[_l1Token][_depositor] += _amount;
        }
    }

Assessed type

Other

#0 - c4-pre-sort

2023-11-02T15:24:37Z

141345 marked the issue as duplicate of #425

#1 - c4-judge

2023-11-24T20:00:51Z

GalloDaSballo marked the issue as satisfactory

Findings Information

🌟 Selected for report: chaduke

Also found by: Aymen0909, HE1M, J4de, Nyx, Udsen, bart1e, bin2chen, chaduke, ladboy233, mahdirostami, rvierdiiev, tapir, zero-idea

Labels

bug
2 (Med Risk)
downgraded by judge
satisfactory
duplicate-246

Awards

656.3255 USDC - $656.33

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-10-zksync/blob/main/code/contracts/ethereum/contracts/zksync/facets/Mailbox.sol#L261

Vulnerability details

Impact

The L1WETHBridge contract converts WETH into native ETH and sends it to L2 through MailboxFacet.requestL2Transaction.

        // The L1 -> L2 transaction may be failed and funds will be sent to the `_refundRecipient`,
        // so we use `msg.value` instead of `_l2Value` as the bridged amount.
        _verifyDepositLimit(msg.sender, msg.value);

The requestL2Transaction function will limit the total number of deposit for msg.sender. When the L1WETHBridge contract calls requestL2Transaction, this msg.sender must be the contract address of L1WETHBridge.

The attacker continuously sends WETH between L1 and L2 via L1WETHBridge and L2WethBridge. The deposit limit of L1WETHBridge is finally consumed. As a result, no one can cross-chain transfers through L1WETHBridge.

Proof of Concept

Tools Used

Manual

The L1WETHBridge contract has privileges and can specify the sender of requestL2Transaction instead of msg.sender.

        // The L1 -> L2 transaction may be failed and funds will be sent to the `_refundRecipient`,
        // so we use `msg.value` instead of `_l2Value` as the bridged amount.
-       _verifyDepositLimit(msg.sender, msg.value);
+       if (fromL1WETHBridge()) {
+           _verifyDepositLimit(l1WETHBridgesender, msg.value);
+       } else {
+           _verifyDepositLimit(msg.sender, msg.value);
+       }

Assessed type

Other

#0 - c4-pre-sort

2023-10-31T14:30:36Z

bytes032 marked the issue as duplicate of #246

#1 - miladpiri

2023-11-09T12:48:45Z

Duplicate.

#2 - c4-judge

2023-11-24T19:20:48Z

GalloDaSballo changed the severity to 2 (Med Risk)

#3 - c4-judge

2023-11-28T15:59:31Z

GalloDaSballo marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter