Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Validator may refuse to process the cross-chain transaction. #180

Closed
code423n4 opened this issue Nov 7, 2022 · 4 comments
Closed

Validator may refuse to process the cross-chain transaction. #180

code423n4 opened this issue Nov 7, 2022 · 4 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working nullified Issue is high quality, but not accepted sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-10-zksync/blob/456078b53a6d09636b84522ac8f3e8049e4e3af5/ethereum/contracts/zksync/facets/Executor.sol#L152
https://github.com/code-423n4/2022-10-zksync/blob/456078b53a6d09636b84522ac8f3e8049e4e3af5/ethereum/contracts/zksync/facets/Executor.sol#L208
https://github.com/code-423n4/2022-10-zksync/blob/456078b53a6d09636b84522ac8f3e8049e4e3af5/ethereum/contracts/zksync/facets/Executor.sol#L221
https://github.com/code-423n4/2022-10-zksync/blob/456078b53a6d09636b84522ac8f3e8049e4e3af5/ethereum/contracts/zksync/facets/Executor.sol#L336

Vulnerability details

Impact

Currently the project trust model is that the governor and the validator to not act maliciously.

But if the validator refuse to process the cross-chain transaction, the user's fund is locked infinitely in the L1ERC20Bridge.sol and in L1ETHBridge.sol

Proof of Concept

In the current implementation, when user starts a cross-chain transfer, the user needs to call deposit and the cross-chain is put into a queue.

The validator needs to pop from the queue to process the job in first-in-first-out order.

However, if the validator just refuse to process the cross-chain transaction by calling the function that has the modifier onlyValidator in the Executor.sol. The transaction in the queue is stucked.

function commitBlocks(StoredBlockInfo memory _lastCommittedBlockData, CommitBlockInfo[] calldata _newBlocksData)
	external
	override
	nonReentrant
	onlyValidator
{

and

    function executeBlocks(StoredBlockInfo[] calldata _blocksData) external nonReentrant onlyValidator {

and

    function proveBlocks(
        StoredBlockInfo calldata _prevBlock,
        StoredBlockInfo[] calldata _committedBlocks,
        ProofInput calldata _proof
    ) external nonReentrant onlyValidator {

Tools Used

VS Code

Recommended Mitigation Steps

If the validator turns rogue, there is no cost for validator but the cost from the project and the cost from user is great. It is time confusing for governor and project to set up new validator infra.

I think a way to mitigate this to make sure the validator does the job is let them stake tokens and if they does not process transaction,

The protocol punish the validator by slashing their tokens.

@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Nov 7, 2022
code423n4 added a commit that referenced this issue Nov 7, 2022
@miladpiri
Copy link

As mentioned in the overview of zkSync in C4 contest:

L1 -> L2 communication is implemented as requesting an L2 transaction on L1 and executing it on L2. This means a user can call the function on L1 contract to save the data about the transaction in some queue. Later on, a validator can process such transactions on L2 and mark them as processed on the L1 priority queue. Currently, it is used only for sending information from L1 to L2 or implementing a multi-layer protocol, but it is planned to use a priority queue for the censor-resistance mechanism.

So, invalid issue!

@c4-sponsor
Copy link

miladpiri marked the issue as sponsor disputed

@c4-sponsor c4-sponsor added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label Nov 22, 2022
@GalloDaSballo
Copy link

Per the sponsor comment, with acknowledgement on the readme, also considering the possibility of performing a FullExit:
https://etherscan.io/address/0x8e972b354e6933275513c355ee14d44a832ad2d9#code#F1#L326

Am closing as invalid

@c4-judge
Copy link
Contributor

c4-judge commented Dec 1, 2022

GalloDaSballo marked the issue as nullified

@c4-judge c4-judge closed this as completed Dec 1, 2022
@c4-judge c4-judge added the nullified Issue is high quality, but not accepted label Dec 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working nullified Issue is high quality, but not accepted sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Projects
None yet
Development

No branches or pull requests

5 participants