Back to wangxx2026's contests

zkSync Era - wangxx2026's results

Future-proof zkEVM on the mission to scale freedom for all.

General Information

Platform: Code4rena

Start Date: 02/10/2023

Pot Size: $1,100,000 USDC

Total HM: 28

Participants: 64

Period: 21 days

Judge: GalloDaSballo

Total Solo HM: 13

Id: 292

League: ETH

zkSync

Findings Distribution

Researcher Performance

Rank: 63/64

Findings: 1

Award: $95.22

QA:
grade-b

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryzkSync

Findings Information

🌟 Selected for report: erebus

Also found by: 0xTheC0der, Bauchibred, HE1M, Jorgect, Udsen, alexfilippov314, chaduke, evmboi32, hash, ladboy233, lsaudit, oakcobalt, rvierdiiev, ustas, wangxx2026, xuwinnie, zero-idea, zkrunner

Awards

95.2225 USDC - $95.22

Labels

bug
downgraded by judge
grade-b
low quality report
QA (Quality Assurance)
sponsor disputed
Q-19

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-10-zksync/blob/1fb4649b612fac7b4ee613df6f6b7d921ddd6b0d/code/contracts/ethereum/contracts/zksync/ValidatorTimelock.sol#L113-L128 https://github.com/code-423n4/2023-10-zksync/blob/1fb4649b612fac7b4ee613df6f6b7d921ddd6b0d/code/contracts/ethereum/contracts/zksync/facets/Executor.sol#L291-L307 https://github.com/code-423n4/2023-10-zksync/blob/1fb4649b612fac7b4ee613df6f6b7d921ddd6b0d/code/contracts/ethereum/contracts/zksync/facets/Admin.sol#L68-L71 https://github.com/code-423n4/2023-10-zksync/blob/1fb4649b612fac7b4ee613df6f6b7d921ddd6b0d/code/contracts/ethereum/contracts/zksync/facets/Base.sol#L24-L33

Vulnerability details

Impact

A user can bypass time limits and Governance authorization to execute executeBatches

In the readme, it is particularly emphasized that authorized users must also receive process restrictions, so the impact should be high

Proof of Concept

The execution of ValidatorTimelock.executeBatches adds a time limit, the code is shown below.

    function executeBatches(StoredBatchInfo[] calldata _newBatchesData) external onlyValidator {
   ...
       require(block.timestamp >= commitBatchTimestamp + delay, "5c"); // The delay is not passed
   ...
    }

Then request the ExecutorFacet.executeBatches method through DiamondProxy. This method has no time limit and can also be accessed directly by authorized users. The code is as follows //found

    function executeBatches(StoredBatchInfo[] calldata _batchesData) external nonReentrant onlyValidator { // found
...

    }

    /// @notice Checks if validator is active
    modifier onlyValidator() {
        require(s.validators[msg.sender], "1h"); //found
        _;
    }

Governor authorization is not required, and access can also be authorized through admin. The code is as follows //found

    function setValidator(address _validator, bool _active) external onlyGovernorOrAdmin {
        s.validators[_validator] = _active; // found
        emit ValidatorStatusUpdate(_validator, _active);
    }

    modifier onlyGovernorOrAdmin() {
        require(msg.sender == s.governor || msg.sender == s.admin, "Only by governor or admin");// found
        _;
    }

Finally, a Validator not authorized by the Governor can bypass the time limit and execute executeBatches in advance.

Tools Used

Manual Review

In ExecutorFacet.executeBatches, adding msg.sender can only be the ValidatorTimelock contract

Assessed type

Access Control

#0 - c4-pre-sort

2023-10-31T07:07:05Z

bytes032 marked the issue as low quality report

#1 - miladpiri

2023-11-09T11:24:27Z

Invalid. ValidatorTimelock prevents execution batches prior to the timelock. This is needed only to protect server key leakage and exploiting circuit bug. Governance should be able to change validator or bypass the check in case this is needed.

#2 - c4-sponsor

2023-11-09T11:24:32Z

miladpiri (sponsor) disputed

#3 - c4-judge

2023-11-16T14:42:28Z

GalloDaSballo marked the issue as unsatisfactory: Invalid

#4 - wangxx2026

2023-11-30T09:13:51Z

I hope someone can help clarify this sentence in the readme:

"While the assumption is that either governance or security council are not malicious, neither governance, nor the security council should be able to circumvent the limitations imposed on them."

It’s very clear here that Governance cannot bypass restrictions.

#5 - GalloDaSballo

2023-12-07T10:21:04Z

I believe that in this instance the Admin Privilege as well as other disclosures cover this edge case I invite you to link me to other findings you believe are unfairly medium and I'll consider downgrading them

But I don't believe this finding should be awarded as Medium as the disclosures make it known, and I don't believe the comment around the assumptions allow to stretch the severity classification that far

#6 - c4-judge

2023-12-10T12:03:50Z

GalloDaSballo changed the severity to QA (Quality Assurance)

#7 - GalloDaSballo

2023-12-10T12:04:03Z

I have considered grouping this under the governance deadlock, but it ultimately doesn't qualify for a duplicate, I will award the report as valid QA even if it doesn't score sufficiently high due to this

#8 - c4-judge

2023-12-10T13:57:24Z

GalloDaSballo marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter