Risk of Refund Loss During Upgrade Transactions #880
Labels
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
downgraded by judge
Judge downgraded the risk level of this issue
grade-a
ineligible for award
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2023-10-zksync/blob/main/code/contracts/ethereum/contracts/zksync/libraries/TransactionValidator.sol#L55
Vulnerability details
Impact
The absence of a mechanism to verify the control of the refund recipient may expose upgrade transactions to the risk of refund loss
Proof of Concept
In the case of an upgrade transaction, there is a risk of losing the refund because there is no mechanism in place to ensure that the refund recipient address is under the control of the governor or administrator.
https://github.com/code-423n4/2023-10-zksync/blob/main/code/contracts/ethereum/contracts/upgrades/BaseZkSyncUpgrade.sol#L181
https://github.com/code-423n4/2023-10-zksync/blob/main/code/contracts/ethereum/contracts/zksync/libraries/TransactionValidator.sol#L55
Since the
msg.sender
for upgrade transactions is the address of theGovernance
contract, it is essential that the refund recipient corresponds to theL1toL2Alias
of theGovernance
contract to ensure proper control and governance over the refund.Tools Used
Recommended Mitigation Steps
The check on line 55 should be as follows:
https://github.com/code-423n4/2023-10-zksync/blob/1fb4649b612fac7b4ee613df6f6b7d921ddd6b0d/code/contracts/ethereum/contracts/zksync/libraries/TransactionValidator.sol#L55
Assessed type
Context
The text was updated successfully, but these errors were encountered: