Platform: Code4rena
Start Date: 28/10/2022
Pot Size: $165,500 USDC
Total HM: 2
Participants: 24
Period: 12 days
Judge: GalloDaSballo
Total Solo HM: 1
Id: 177
League: ETH
Rank: 18/24
Findings: 1
Award: $250.77
🌟 Selected for report: 0
🚀 Solo Findings: 0
250.7706 USDC - $250.77
When user deposit in L1ETHBridge.sol, they can avoid paying the fee by making msg.value == amount
Let us check this code in L1ETHBridge::deposit
// Will revert if msg.value is less than the amount of the deposit uint256 zkSyncFee = msg.value - _amount; bytes memory l2TxCalldata = _getDepositL2Calldata(msg.sender, _l2Receiver, _amount); txHash = zkSyncMailbox.requestL2Transaction{value: zkSyncFee}( l2Bridge, 0, // L2 msg.value l2TxCalldata, DEPOSIT_ERGS_LIMIT, new bytes[](0) ); // Save the deposit amount, to claim funds back if the L2 transaction will failed depositAmount[msg.sender][txHash] = _amount;
For example, the user can setting the msg.value to 1 ETH and amount to 1 ETH.
msg.value - amount is 0 so the user does not need to pay the zkSyncFee,
however, note the line
// Save the deposit amount, to claim funds back if the L2 transaction will failed depositAmount[msg.sender][txHash] = _amount;
the amount 1 ETH is still recorded in the smart contract!
Code Insepection
The dev can change the code to enforce the logic that % of fee needs to be charged before calling txHash = zkSyncMailbox.requestL2Transaction{value: zkSyncFee}
#0 - c4-judge
2022-11-14T20:56:53Z
GalloDaSballo marked the issue as duplicate of #262
#1 - GalloDaSballo
2022-11-27T20:35:12Z
L
#2 - c4-judge
2022-11-27T20:35:27Z
GalloDaSballo changed the severity to QA (Quality Assurance)
#3 - c4-judge
2022-12-03T19:13:26Z
GalloDaSballo marked the issue as grade-c
#4 - c4-judge
2022-12-08T23:46:58Z
GalloDaSballo marked the issue as grade-b
#5 - GalloDaSballo
2022-12-08T23:47:28Z
With 4 Low Severity finding, am giving it 2 bonus points to award a B