Malicious operator can freeze users' bridged ERC20 tokens by appending transactions after the merkle tree is full #938
Labels
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-853
grade-a
low quality report
This report is of especially low quality
Q-05
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Lines of code
https://github.com/code-423n4/2023-10-zksync/blob/1fb4649b612fac7b4ee613df6f6b7d921ddd6b0d/code/system-contracts/bootloader/bootloader.yul#L965-L966
Vulnerability details
Impact
However, the check for numberOfL2ToL1Logs is incorrect. As a result, malicious operator can append transaction even after the merkle tree is full. User will not be able to redeem failed deposits since the proof for the failed transaction is not included in the merkle tree.
Proof of Concept
Let's focus on function publishPubdataAndClearState of L1 messenger.
We are requiring nothing here. So numberOfL2ToL1Logs can be larger than 2048.
Later, we simply ignore logs after 2049. They will not be reflected in the root hash.
Each time when function processL1Tx is called in bootloader, a log indicating transaction result will be sent.
A malicious operator can wait patiently until the current pending priority transactions emit more than 2048 logs in total (operator can also do it herself!) After that, if a ERC20 deposit failed, operator conclude the batch and the failed deposit can never be redeemed, since the log is not included in the merkle tree.
Tools Used
Manual
Recommended Mitigation Steps
(It's better to have a dynamic tree here)
Assessed type
Context
The text was updated successfully, but these errors were encountered: