Back to cccz's contests

zkSync v2 contest - cccz's results

Rely on math, not validators.

General Information

Platform: Code4rena

Start Date: 28/10/2022

Pot Size: $165,500 USDC

Total HM: 2

Participants: 24

Period: 12 days

Judge: GalloDaSballo

Total Solo HM: 1

Id: 177

League: ETH

zkSync

Findings Distribution

Researcher Performance

Rank: 14/24

Findings: 1

Award: $250.77

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryzkSync

Findings Information

🌟 Selected for report: HE1M

Also found by: 0xSmartContract, Rolezn, Tomo, brgltd, cccz, chaduke, ctf_sec, datapunk, jayjonah8, ladboy233, pashov, rbserver

Labels

bug
downgraded by judge
QA (Quality Assurance)
grade-b
Q-07

Awards

250.7706 USDC - $250.77

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-10-zksync/blob/4db6c596931a291b17a4e0e2929adf810a4a0eed/ethereum/contracts/zksync/facets/Mailbox.sol#L106-L114

Vulnerability details

Impact

In the deposit function of the L1*Bridge contract, ETH is sent to zkSyncMailbox as zkSyncFee.

    function deposit(
        address _l2Receiver,
        address _l1Token,
        uint256 _amount
    ) external payable nonReentrant senderCanCallFunction(allowList) returns (bytes32 txHash) {
        uint256 amount = _depositFunds(msg.sender, IERC20(_l1Token), _amount);
        require(amount > 0, "1T"); // empty deposit amount

        bytes memory l2TxCalldata = _getDepositL2Calldata(msg.sender, _l2Receiver, _l1Token, amount);
        txHash = zkSyncMailbox.requestL2Transaction{value: msg.value}(
            l2Bridge,
            0, // L2 msg.value
            l2TxCalldata,
            DEPOSIT_ERGS_LIMIT,
            new bytes[](0)
        );

However, in MailboxFacet there is no proper function to withdraw zkSyncFee, which causes these ETH to be locked in the MailboxFacet contract. And, although MailboxFacet is upgradable, according to https://github.com/code-423n4/org/issues/11, this should be medium.

Proof of Concept

https://github.com/code-423n4/2022-10-zksync/blob/4db6c596931a291b17a4e0e2929adf810a4a0eed/ethereum/contracts/bridge/L1EthBridge.sol#L88-L104 https://github.com/code-423n4/2022-10-zksync/blob/4db6c596931a291b17a4e0e2929adf810a4a0eed/ethereum/contracts/bridge/L1ERC20Bridge.sol#L111-L126 https://github.com/code-423n4/2022-10-zksync/blob/4db6c596931a291b17a4e0e2929adf810a4a0eed/ethereum/contracts/zksync/facets/Mailbox.sol#L106-L114

Tools Used

None

Consider implementing functions to withdraw zkSyncFee

#0 - c4-judge

2022-11-16T19:11:00Z

GalloDaSballo marked the issue as duplicate of #279

#1 - GalloDaSballo

2022-11-27T20:28:02Z

L

#2 - c4-judge

2022-11-27T20:28:05Z

GalloDaSballo changed the severity to QA (Quality Assurance)

#3 - c4-judge

2022-12-03T19:13:25Z

GalloDaSballo marked the issue as grade-c

#4 - c4-judge

2022-12-08T23:46:59Z

GalloDaSballo marked the issue as grade-b

#5 - GalloDaSballo

2022-12-08T23:47:31Z

With 4 Low Severity finding, am giving it 2 bonus points to award a B

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter