The `SystemContext` contract contains the test interface

[code423n4]

Lines of code

https://github.com/code-423n4/2023-03-zksync/blob/main/contracts/SystemContext.sol#L130-L135

Vulnerability details

Summary

// https://github.com/code-423n4/2023-03-zksync/blob/main/contracts/SystemContext.sol#L130-L135
    /// @notice A testing method that manually sets the current blocks' number and timestamp.
    /// @dev Should be used only for testing / ethCalls and should never be used in production.
    function unsafeOverrideBlock(uint256 _newTimestamp, uint256 number, uint256 _baseFee) external onlyBootloader {
        currentBlockInfo = (number) * BLOCK_INFO_BLOCK_NUMBER_PART + _newTimestamp;
        baseFee = _baseFee;
    }

The SystemContext contract contains the test interface, which can forcibly modify the current block information.

Impact

This interface may be considered a backdoor.

Proof of Concept

Tools Used

Manual

Recommended Mitigation Steps

It is recommended to delete the test interface.

[miladpiri]

Better to remove.

At most QA.

[c4-sponsor]

miladpiri marked the issue as disagree with severity

[GalloDaSballo]

Will consult with judges due to rules around scope, but I believe that the comment on the code shows the function is for testing and the severity can be correctly downgraded

[GalloDaSballo]

After checking the bootloader, we can see that the function may be called only if the bootloader uses playground_block

https://github.com/code-423n4/2023-03-zksync/blob/21d9a364a4a75adfa6f1e038232d8c0f39858a64/bootloader/bootloader.yul#L54-L55

                <!-- @if BOOTLOADER_TYPE=='playground_block' -->

For this reason am downgrading to QA

[GalloDaSballo]

L

[c4-judge]

GalloDaSballo changed the severity to QA (Quality Assurance)

[c4-judge]

GalloDaSballo marked the issue as grade-c