A user might lose his ETH if he/she accidentally sends more ETH in the msg.value due to any reasons like putting an extra zero.
Proof of Concept
In the function https://github.com/code-423n4/2022-10-zksync/blob/main/ethereum/contracts/bridge/L1EthBridge.sol#L88-L104 ,
it initiates a deposit by locking in funds on the L1 , it locks _amount number of tokens and then zksyncFee is calculated as the excess ETH sent
i.e. msg.value - _amount .
There is no max cap on the msg.value or the zksyncFee i.e. a user can send any amount of ETH and that excess ETH would all be given to the protocol
as the zksyncFee and the user would lose his/her funds if accidentally given a higher value.
Tools Used
Manual Analysis and Visual Code
Recommended Mitigation Steps
There should be a max cap on the zksyncFee which does not let the fee be higher than a specific amount of amount.
Lines of code
https://github.com/code-423n4/2022-10-zksync/blob/main/ethereum/contracts/bridge/L1EthBridge.sol#L88-L104
Vulnerability details
Impact
A user might lose his ETH if he/she accidentally sends more ETH in the msg.value due to any reasons like putting an extra zero.
Proof of Concept
In the function https://github.com/code-423n4/2022-10-zksync/blob/main/ethereum/contracts/bridge/L1EthBridge.sol#L88-L104 , it initiates a deposit by locking in funds on the L1 , it locks
_amount
number of tokens and then zksyncFee is calculated as the excess ETH sent i.e.msg.value - _amount
. There is no max cap on the msg.value or the zksyncFee i.e. a user can send any amount of ETH and that excess ETH would all be given to the protocol as the zksyncFee and the user would lose his/her funds if accidentally given a higher value.Tools Used
Manual Analysis and Visual Code
Recommended Mitigation Steps
There should be a max cap on the zksyncFee which does not let the fee be higher than a specific amount of amount.