search

code-423n4 / 2023-03-zksync-findings

6 stars 1 forks source link

L2EthToken.withdraw can be underflow with little cost #124

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-03-zksync/blob/21d9a364a4a75adfa6f1e038232d8c0f39858a64/contracts/L2EthToken.sol#L85

Vulnerability details

Impact

calculating balance[address(this)] within unchecked will cause underflow.

Say if balance[address(this) == 1 and msg.value == 2, after calling withdraw, balance[address(this)] will be type(uint256).max

Proof of Concept

function underFlow(uint a, uint b) public pure returns(uint) {
    uint c;
    unchecked {
        c = a - b;
    }
    return c;
}

Tools Used

VS

Recommended Mitigation Steps

moving balance[address(this)] -= amount; out of unchecked

+        balance[address(this)] -= amount;
         unchecked {
-            balance[address(this)] -= amount;
             totalSupply -= amount;
         }
c4-judge commented 1 year ago

GalloDaSballo marked the issue as duplicate of #110

c4-judge commented 1 year ago

GalloDaSballo marked the issue as unsatisfactory: Invalid