Back to erebus's contests

zkSync Era - erebus's results

General Information

Platform: Code4rena

Start Date: 07/03/2024

Pot Size: $250,000 USDC

Total HM: 5

Participants: 24

Period: 21 days

Judge: 0xsomeone

Total Solo HM: 3

Id: 347

League: ETH

zkSync

Findings Distribution

Researcher Performance

Rank: 18/24

Findings: 1

Award: $565.16

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryzkSync

Findings Information

🌟 Selected for report: 0x11singh99

Also found by: Bauchibred, Dup1337, Topmark, XDZIBECX, bctester, bin2chen, erebus, forgebyola, oakcobalt, rvierdiiev, yashar, zhanmingjing

Labels

bug
2 (Med Risk)
disagree with severity
downgraded by judge
satisfactory
sponsor confirmed
:robot:_07_group
duplicate-97

Awards

565.1582 USDC - $565.16

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-03-zksync/blob/4f0ba34f34a864c354c7e8c47643ed8f4a250e13/code/contracts/ethereum/contracts/state-transition/StateTransitionManager.sol#L166

Vulnerability details

Impact

There is a typo when unfreezing an hyperchain, which makes it impossible to unfreeze a previously freezed one.

Proof of Concept

Pretty visual

StateTransitionManager, function unfreezeChain

    /// @dev freezes the specified chain
    function unfreezeChain(uint256 _chainId) external onlyOwner {
        IZkSyncStateTransition(stateTransition[_chainId]).freezeDiamond(); // @audit must be unfreezeDiamond(), typo
    }

Calling unfreezeChain on a freezed one will always revert due to the following require in

Admin, function freezeDiamond

    function freezeDiamond() external onlyAdminOrStateTransitionManager {
        ...

        require(!diamondStorage.isFrozen, "a9"); // diamond proxy is frozen already
        
        ...
    }

Runnable POC (for completeness)

    function test_freezeX2() public {
        address admin = utilsFacet.util_getAdmin();

        vm.expectRevert(bytes.concat("a9"));

        vm.startPrank(admin);
        adminFacet.freezeDiamond();
        adminFacet.freezeDiamond();
        vm.stopPrank();
    }

Trivial

StateTransitionManager, function unfreezeChain

    /// @dev freezes the specified chain
    function unfreezeChain(uint256 _chainId) external onlyOwner {
-       IZkSyncStateTransition(stateTransition[_chainId]).freezeDiamond();
+       IZkSyncStateTransition(stateTransition[_chainId]).unfreezeDiamond();
    }

Assessed type

Other

#0 - c4-judge

2024-04-02T17:01:57Z

alex-ppg marked the issue as duplicate of #97

#1 - c4-sponsor

2024-04-04T12:15:24Z

saxenism (sponsor) confirmed

#2 - c4-sponsor

2024-04-04T12:15:29Z

saxenism marked the issue as disagree with severity

#3 - saxenism

2024-04-04T12:16:01Z

Thank you for the finding.

We, however think this is a medium severity issue since in the current codebase admin could also unfreeze.

#4 - c4-judge

2024-04-29T13:51:53Z

alex-ppg changed the severity to 2 (Med Risk)

#5 - c4-judge

2024-04-29T13:53:03Z

alex-ppg marked the issue as partial-75

#6 - c4-judge

2024-04-29T13:53:37Z

alex-ppg marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter