GalloDaSballo
commented
1 year ago I believe the lack of checks can open up to OOG griefs
Closed code423n4 closed 1 year ago
GalloDaSballo
commented
1 year ago I believe the lack of checks can open up to OOG griefs
c4-sponsor
commented
1 year ago miladpiri marked the issue as sponsor disputed
miladpiri
commented
1 year ago It is a compiler simulation and if it fails, the frame will fail too. Moreover, The compiler simulation doesn’t return the meaningful value. It is different from a normal low level call.
GalloDaSballo
commented
1 year ago From the Sponsor Provided Docs, we can verify that the call will transpile to:
Am closing as invalid due to the lack of acknowledgment of the zkCompiler Behaviour
c4-judge
commented
1 year ago GalloDaSballo marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-03-zksync/blob/21d9a364a4a75adfa6f1e038232d8c0f39858a64/contracts/ContractDeployer.sol#L320
Vulnerability details
Title:
Description: When creating a contract, if there is value to be transferred the
_constructContractfunction ofContractDeployerwill use theSystemContractsHelper.setValueForNextFarCallMethod: https://github.com/code-423n4/2023-03-zksync/blob/21d9a364a4a75adfa6f1e038232d8c0f39858a64/contracts/libraries/SystemContractHelper.sol#L161-L172However in
_constructContractfunction doesn't verify that the value returned was success: https://github.com/code-423n4/2023-03-zksync/blob/21d9a364a4a75adfa6f1e038232d8c0f39858a64/contracts/ContractDeployer.sol#L320As a result this could lead to an incorrect handling of
msg.valueand balances for contracts. Currently this may not lead to loss of funds since theL2EthTokencontract is called and the balance is successfully transferred there, but this could have downstream consequences if the created contract uses themsg.valuevariable in some way.Tools Used
Manual Review
Recommended Mitigation Steps
Check the return value and revert the transaction if
success != true.