code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-03-zksync/blob/main/contracts/DefaultAccount.sol#L230

Vulnerability details

Impact

Users may lose assets

Proof of Concept

The contract DefaultAccount.sol contains a receive function which allows the contract to receive native token. If a user mistankingly sends over some native tokens to the contract, their ether will be stuck.

    receive() external payable {
        // If the contract is called directly, behave like an EOA
    }

Tools Used

Vscode

Recommended Mitigation Steps

Implement the rescuetoken() function

GalloDaSballo commented 1 year ago

I think this is incorrect as the account can call any token out

miladpiri commented 1 year ago

The account with a private key for the DefaultAccoutn can submit a transaction from it (laternaitvelly, an L1→L2 communication could be used)

c4-sponsor commented 1 year ago

miladpiri marked the issue as sponsor disputed

GalloDaSballo commented 1 year ago

After the sponsor clarification, I agree with the Sponsor that the funds can be sweeped out

c4-judge commented 1 year ago

GalloDaSballo marked the issue as unsatisfactory: Invalid

code-423n4 / 2023-03-zksync-findings