Closed code423n4 closed 1 year ago
GalloDaSballo marked the issue as primary issue
Slightly more concise but basically both reports are as good
IMHO Low, but it is something that it is possible to forget in the future upgrades. The impact is also very limited.
miladpiri marked the issue as disagree with severity
I believe the finding to be valid, but reliant on user mistake: https://github.com/code-423n4/org/issues/53
Downgrading to Low
L
GalloDaSballo changed the severity to QA (Quality Assurance)
GalloDaSballo marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-03-zksync/blob/21d9a364a4a75adfa6f1e038232d8c0f39858a64/contracts/ContractDeployer.sol#L212
Vulnerability details
Impact
if not nedd
callConstructor
,value
will be ignored, may losevalue
Proof of Concept
FORCE_DEPLOYER call forceDeployOnAddresses () can pass
_deployments.value
The current implementation, if needcallConstructor
, will pass thevalue
tonewAddress
, and set themsg.value
for Constructor IfcallConstructor
is not needed, it is directly ignored.So if have pass
value
, although don't needcallConstructor
,also need to transfer value tonewAddress
Tools Used
Recommended Mitigation Steps