search

code-423n4 / 2022-10-zksync-findings

3 stars 0 forks source link

No Maximum Cap On zksyncFee #269

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-10-zksync/blob/main/ethereum/contracts/bridge/L1EthBridge.sol#L88-L104

Vulnerability details

Impact

A user might lose his ETH if he/she accidentally sends more ETH in the msg.value due to any reasons like putting an extra zero.

Proof of Concept

In the function https://github.com/code-423n4/2022-10-zksync/blob/main/ethereum/contracts/bridge/L1EthBridge.sol#L88-L104 , it initiates a deposit by locking in funds on the L1 , it locks _amount number of tokens and then zksyncFee is calculated as the excess ETH sent i.e. msg.value - _amount . There is no max cap on the msg.value or the zksyncFee i.e. a user can send any amount of ETH and that excess ETH would all be given to the protocol as the zksyncFee and the user would lose his/her funds if accidentally given a higher value.

Tools Used

Manual Analysis and Visual Code

Recommended Mitigation Steps

There should be a max cap on the zksyncFee which does not let the fee be higher than a specific amount of amount.

GalloDaSballo commented 1 year ago

Self rekt

c4-sponsor commented 1 year ago

miladpiri marked the issue as sponsor disputed

miladpiri commented 1 year ago

Since it is  directly mentioned that fee modeling is not implemented, so it is not an issue! Ref1 Ref2

GalloDaSballo commented 1 year ago

L

c4-judge commented 1 year ago

Duplicate of https://github.com/code-423n4/2022-10-zksync-findings/issues/299

c4-judge commented 1 year ago

GalloDaSballo marked the issue as grade-c