Closed code423n4 closed 1 year ago
Missing Zero Address Check L
Require should be used instead of Assert Disputed
Event is Missing Indexed Fields Disagree, I think the sponsor indexed what they wanted
Should Resolve TODOs before Deployment NC
Require Statements without Descriptive Revert Strings NC
1L 2NC
GalloDaSballo marked the issue as grade-c
Table of Contents
Low Risk Issues
Non-critical Issues
Low Risk Issues
Missing Zero Address Check
Issue
I recommend adding check of 0-address for input validation of critical address parameters. Not doing so might lead to non-functional contract and have to redeploy the contract, when it is updated to 0-address accidentally.
PoC
Total of 7 instances found.
L1ERC20Bridge.sol:constructor():
allowList
address https://github.com/code-423n4/2022-10-zksync/blob/456078b53a6d09636b84522ac8f3e8049e4e3af5/ethereum/contracts/bridge/L1ERC20Bridge.sol#L59L1ERC20Bridge.sol:constructor():
zkSyncMailbox
address https://github.com/code-423n4/2022-10-zksync/blob/456078b53a6d09636b84522ac8f3e8049e4e3af5/ethereum/contracts/bridge/L1ERC20Bridge.sol#L58L1ERC20Bridge.sol:initialize():
l2TokenFactory
address https://github.com/code-423n4/2022-10-zksync/blob/456078b53a6d09636b84522ac8f3e8049e4e3af5/ethereum/contracts/bridge/L1ERC20Bridge.sol#L79L1EthBridge.sol:constructor():
allowList
address https://github.com/code-423n4/2022-10-zksync/blob/456078b53a6d09636b84522ac8f3e8049e4e3af5/ethereum/contracts/bridge/L1EthBridge.sol#L50L1EthBridge.sol:constructor():
zkSyncMailbox
address https://github.com/code-423n4/2022-10-zksync/blob/456078b53a6d09636b84522ac8f3e8049e4e3af5/ethereum/contracts/bridge/L1EthBridge.sol#L49L2ERC20Bridge.sol:constructor():
l1Bridge
address https://github.com/code-423n4/2022-10-zksync/blob/456078b53a6d09636b84522ac8f3e8049e4e3af5/zksync/contracts/bridge/L2ERC20Bridge.sol#L36L2ETHBridge.sol:constructor():
l1Bridge
address https://github.com/code-423n4/2022-10-zksync/blob/456078b53a6d09636b84522ac8f3e8049e4e3af5/zksync/contracts/bridge/L2ETHBridge.sol#L31Mitigation
Add 0-address check for above addresses.
Require should be used instead of Assert
Issue
Solidity documents mention that properly functioning code should never reach a failing assert statement and if this happens there is a bug in the contract which should be fixed. Reference: https://docs.soliditylang.org/en/v0.8.15/control-structures.html#panic-via-assert-and-error-via-require
PoC
Total of 1 instance found.
Mitigation
Replace assert by require.
Non-critical Issues
Event is Missing Indexed Fields
Issue
Each event should have 3 indexed fields if there are 3 or more fields.
PoC
Total of 17 instances found.
Mitigation
Add up to 3 indexed fields when possible.
Should Resolve TODOs before Deployment
Issue
Questions/Issues in the code should be resolved before the deployment.
PoC
Total of 5 instances found
Require Statements without Descriptive Revert Strings
Issue
It is best practice to include descriptive revert strings for require statement for readability and auditing.
PoC
Total of 9 instances found.
Mitigation
Add descriptive revert strings to easier understand what the code is trying to do.