search

code-423n4 / 2023-03-zksync-findings

5 stars 1 forks source link

Missing access control when publishing compressed bytecode #96

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-03-zksync/blob/21d9a364a4a75adfa6f1e038232d8c0f39858a64/contracts/BytecodeCompressor.sol#L35

Vulnerability details

Impact

Missing access control will give any user the freedom to mark known any bytecode (as far as the criteria for bytecode and bytecode hash are satisfied).

Proof of Concept

Marking bytecode hash as known is done through the function markFactoryDeps in KnownCodeStorage.sol by only Bootloader. https://github.com/code-423n4/2023-03-zksync/blob/21d9a364a4a75adfa6f1e038232d8c0f39858a64/contracts/KnownCodesStorage.sol#L31 https://github.com/code-423n4/2023-03-zksync/blob/21d9a364a4a75adfa6f1e038232d8c0f39858a64/contracts/KnownCodesStorage.sol#L59

While it is possible to publish any bytecode (as far as it has valid bytecode hash and valid compressed version) through the function publishCompressedBytecode in BytecodeCompressor. https://github.com/code-423n4/2023-03-zksync/blob/21d9a364a4a75adfa6f1e038232d8c0f39858a64/contracts/BytecodeCompressor.sol#L35

It seems that this function is missing access control check of Bootloader.

Tools Used

Recommended Mitigation Steps

Recommended to add OnlyBootloader modifer to the function publishCompressedBytecode.

GalloDaSballo commented 1 year ago

Interested in the sponsors thoughts

miladpiri commented 1 year ago

Even though we add that modifier, it is technically not mandatory.

At most QA or Low.

c4-sponsor commented 1 year ago

miladpiri marked the issue as disagree with severity

GalloDaSballo commented 1 year ago

Because the bytecode is verified, I must agree with the sponsor that the finding has validity, but impact is reduced, downgrading to QA - Low

GalloDaSballo commented 1 year ago

L

c4-judge commented 1 year ago

GalloDaSballo changed the severity to QA (Quality Assurance)