Governor admin can set verifier address and verify params to a wrong or invalid address intentionally #181
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-239
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Lines of code
https://github.com/code-423n4/2022-10-zksync/blob/456078b53a6d09636b84522ac8f3e8049e4e3af5/ethereum/contracts/zksync/facets/Governance.sol#L45
https://github.com/code-423n4/2022-10-zksync/blob/456078b53a6d09636b84522ac8f3e8049e4e3af5/ethereum/contracts/zksync/facets/Executor.sol#L231
https://github.com/code-423n4/2022-10-zksync/blob/456078b53a6d09636b84522ac8f3e8049e4e3af5/ethereum/contracts/zksync/facets/Executor.sol#L248
https://github.com/code-423n4/2022-10-zksync/blob/456078b53a6d09636b84522ac8f3e8049e4e3af5/ethereum/contracts/zksync/facets/Executor.sol#L260
Vulnerability details
Impact
Governor admin has the power to set the verifier address to whatever he wants.
If the admin set the verifier address to wrong or invalid address intentionally,
the validator cannot properly process the transaction and prove the transaction is processed.
Proof of Concept
The governor can set the verifier address and verify params to whatever he wants by calling this function:
For example, if the admin misbehave and set the verifier to address(0) or a random EOA account, the validator cannot properly prove the message by calling:
note that the verifiy params is used in
and the verifier address is used in:
If this verification fails, Blocks commitment verification failed.
Tools Used
Manual Review
Recommended Mitigation Steps
We recommend the project add more parameter when admin setting the verifier to make sure that the verifier can verify dummy proof.
Also, we recommend the project use multsig wallet to safe guard to the admin address.
The text was updated successfully, but these errors were encountered: