Open c4-submissions opened 11 months ago
bytes032 marked the issue as primary issue
bytes032 marked the issue as sufficient quality report
Not big issue, but interesting thought. So, QA.
The duplicates indicated by the pre-sorter are irrelevant to this finding. They should be judged as seperate findings.
miladpiri marked the issue as disagree with severity
miladpiri (sponsor) confirmed
GalloDaSballo changed the severity to QA (Quality Assurance)
Interesting issue but I still think it falls under admin mistake
Lines of code
https://github.com/code-423n4/2023-10-zksync/blob/main/code/system-contracts/contracts/ContractDeployer.sol#L254
Vulnerability details
Impact
The simultaneous upgrade of multiple system contracts (including
ContractDeployer
) in zkSync may lead to compatibility issues, as there is no enforcement mechanism to ensure that upgraded contracts are fully compatible with their older versions. This could potentially disrupt the proper functioning of the system and lead to unexpected behavior.Proof of Concept
Let's consider a scenario where certain system contracts, including
ContractDeployer
, are scheduled for an upgrade. To facilitate this, the functionforceDeployOnAddresses
is invoked byFORCE_DEPLOYER
, and an array ofForceDeployment
structs is passed as an argument. Each element in this array corresponds to a specific system contract set for upgrade. https://github.com/code-423n4/2023-10-zksync/blob/main/code/system-contracts/contracts/ContractDeployer.sol#L238 https://github.com/code-423n4/2023-10-zksync/blob/main/code/system-contracts/contracts/ContractDeployer.sol#L198For instance, assume that only two system contracts,
ContractDeployer
andSystemContext
, are for an upgrade. The first element of the array pertains to the new version ofContractDeployer
, while the second element relates to the new version ofSystemContext
.During the process of forcing deployment, an external high-level call is made to the
forceDeployOnAddress
function, as can be observed in line 214 of the code. https://github.com/code-423n4/2023-10-zksync/blob/main/code/system-contracts/contracts/ContractDeployer.sol#L254 https://github.com/code-423n4/2023-10-zksync/blob/main/code/system-contracts/contracts/ContractDeployer.sol#L214This call is responsible for deploying the new version of
ContractDeployer
to the same addressaddress(0x8006)
with updated bytecode and functionality. After this deployment, the code execution returns to theforceDeployOnAddresses
function to proceed with the deployment of the second element of the_deployments
array. In this case, the second external high-level call invokes the new version ofContractDeployer
to upgradeSystemContext
.The potential issue arises if the upgraded
ContractDeployer
is not fully compatible with its previous version, for instance, due to changes in theForceDeployment
struct or other differences in functionality. The problem stems from the fact that there is no enforcement to ensure that ifContractDeployer
is included in the list of system contracts to be upgraded, it must be the last element in the_deployments
array. This arrangement can inadvertently impact subsequent upgrades in the array.Tools Used
Recommended Mitigation Steps
It is recommended to revise the line 254 as:
https://github.com/code-423n4/2023-10-zksync/blob/main/code/system-contracts/contracts/ContractDeployer.sol#L254
Assessed type
Context