code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-03-zksync/blob/21d9a364a4a75adfa6f1e038232d8c0f39858a64/contracts/L2EthToken.sol#L80-L94

Vulnerability details

Impact

_l1Receiver lose the token amount

Proof of Concept

function withdraw(address _l1Receiver) external payable override { uint256 amount = msg.value;

    // Silent burning of the ether
    unchecked {
        balance[address(this)] -= amount;
        totalSupply -= amount;
    }

    // Send the L2 log, a user could use it as proof of the withdrawal
    bytes memory message = _getL1WithdrawMessage(_l1Receiver, amount);
    L1_MESSENGER_CONTRACT.sendToL1(message);

    emit Withdrawal(msg.sender, _l1Receiver, amount);
}

Inside the withdraw function the balance[_l1Receiver] value is not increased. only the amount is burned from balance[address(this)] and totalSupply . The amount is not added to any receiver address or msg.sender

Tools Used

Manual audit

Recommended Mitigation Steps

Add the token to balance of _l1Receiver

balance[_l1Receiver]+=amount;

c4-judge commented 1 year ago

GalloDaSballo marked the issue as unsatisfactory: Insufficient proof

GalloDaSballo commented 1 year ago

Finding doesn't acknowledge how the system actually works

code-423n4 / 2023-03-zksync-findings