// Silent burning of the ether
unchecked {
balance[address(this)] -= amount;
totalSupply -= amount;
}
// Send the L2 log, a user could use it as proof of the withdrawal
bytes memory message = _getL1WithdrawMessage(_l1Receiver, amount);
L1_MESSENGER_CONTRACT.sendToL1(message);
emit Withdrawal(msg.sender, _l1Receiver, amount);
}
Inside the withdraw function the balance[_l1Receiver] value is not increased. only the amount is burned from balance[address(this)] and totalSupply . The amount is not added to any receiver address or msg.sender
Lines of code
https://github.com/code-423n4/2023-03-zksync/blob/21d9a364a4a75adfa6f1e038232d8c0f39858a64/contracts/L2EthToken.sol#L80-L94
Vulnerability details
Impact
_l1Receiver lose the token amount
Proof of Concept
function withdraw(address _l1Receiver) external payable override { uint256 amount = msg.value;
Inside the withdraw function the balance[_l1Receiver] value is not increased. only the amount is burned from balance[address(this)] and totalSupply . The amount is not added to any receiver address or msg.sender
Tools Used
Manual audit
Recommended Mitigation Steps
Add the token to balance of _l1Receiver
balance[_l1Receiver]+=amount;