search

code-423n4 / 2023-03-zksync-findings

6 stars 1 forks source link

L1 transaction gas cost may be changed in the future #207

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-03-zksync/blob/main/bootloader/bootloader.yul#L150

Vulnerability details

Impact

A possible change in the transaction gas cost leads to a wrong block base fee calculation.

Proof of Concept

The procedure of zkSync rollup starts from the bootloader program. It handles and manages many operations to send the validated transactions back to layer 1 with a drastically reduced processing time. During its work cycle, the Bootloader calculates and sets the block gas fee, based on the L1 gas and a fair L2 gas price. This calculation uses L1_GAS_PER_PUBDATA_BYTE() pure function to get the publishing cost on L1 which returns the number 17 statically. Currently, this cost is 16 Gwei for a single byte, and considering the additional fees, it has been set as 17. Many proposals are suggested to alter this number. One of those proposals is EIP-4488 which suggests reducing this number from 16 to 3, and thus the maximum block size increases to 10M bytes. Although this proposal is stagnant, with recent advances and proposals, it is likely to be applied. As a consequence, the base fee would be calculated wrongly using the bootloader program.

EIP-4488: https://eips.ethereum.org/EIPS/eip-4488

Tools Used

Manual Review

Recommended Mitigation Steps

Consider making the L1_GAS_PER_PUBDATA_BYTE() dynamic in which one can change its value over the time

miladpiri commented 1 year ago

The formula is misunderstood. The user thinks that “17” is the number of gwei, while in fact 17 is the number of gas that publishing a byte on L1 would cost us. (16 is the price for a non-zero byte of calldata + 1 gas is added to cover up for additional potential cost). If the pricing for calldata changes, we’ll do an upgrade. So, for such changes we have upgradability.

c4-sponsor commented 1 year ago

miladpiri marked the issue as sponsor disputed

GalloDaSballo commented 1 year ago

I believe the sponsor correctly disputed, however, I think the suggestion is valid as a Refactoring, am going to downgrade it to it

I understand the sponsor can upgrade to change the constant which will save gas

GalloDaSballo commented 1 year ago

R

c4-judge commented 1 year ago

GalloDaSballo changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

GalloDaSballo marked the issue as grade-c