Closed code423n4 closed 1 year ago
Contingent on externalities Assumes you can have different logic at same address No coded POC
Looks off tbh
As it helps to the transparency of the protocol, it worth QA!
miladpiri marked the issue as disagree with severity
miladpiri marked the issue as sponsor confirmed
miladpiri marked the issue as sponsor acknowledged
It should be noted that a malicious governor can deploy a proxy contract on initAddress
or deploy a contract with selfdestruct
functionality on initAddress
, so in this case even with nonzero code size check on initAddress
, the malicious governor can exploit the protocol. But, at least this check helps to the transparency of the protocol, because users notice that a contract with selfdestruct
or proxy is deployed on ìnitAddress
, so the users will conclude that something is maybe wrong. So, the users can take a risk and hold their fund in the protocol or withdraw.
Per the comment from the sponsor, am downgrading to QA - Low
L
GalloDaSballo changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2022-10-zksync/blob/456078b53a6d09636b84522ac8f3e8049e4e3af5/ethereum/contracts/zksync/facets/DiamondCut.sol#L22
Vulnerability details
Impact
Not knowing the code in the
initAddress
anddelegatecalling
to it can have huge risk on the protocol.Proof of Concept
A malicious governor proposes a valid proposal with nonzero
initAddress
andinitCalldata
.But the
initAddress
is an address that does not have any code before execution of the proposal. So, just before executing the proposal, the malicious governor deploys a contract on the address ofinitAddress
by using create2. At the end of proposal execution, the diamond proxy delegates call to thisinitAddress
, and can exploit the protocol.Tools Used
Recommended Mitigation Steps
It should be checked that
initAddress
has code during creating proposal.