Vulnerability in Gas Refund Handling Allows Malicious Operators to Steal User Refunds

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-10-zksync/blob/24b4b0c1ea553106a194ef36ad4eb05b3b50275c/code/system-contracts/bootloader/bootloader.yul#L921

Vulnerability details

Impact

This vulnerability allows malicious operators to potentially exploit the gas refund handling mechanism, resulting in the theft of user refunds.

Proof of Concept

In the event that a user provides a gasLimit value exceeding both the MAX_GAS_PER_TRANSACTION and the operatorTrustedGasLimit while processing the L1Tx, any surplus gas will be stored in a variable known as reservedGas. This surplus gas is intended to be refunded to the user at the end of transaction execution. https://github.com/code-423n4/2023-10-zksync/blob/7ed3944429f437a611c32e782a12b320f6a67c17/code/system-contracts/bootloader/bootloader.yul#L1137 https://github.com/code-423n4/2023-10-zksync/blob/7ed3944429f437a611c32e782a12b320f6a67c17/code/system-contracts/bootloader/bootloader.yul#L1145

When the user's transaction is executed, the refundGas is determined by taking the maximum value between potentialRefund and the refund provided by the operator, as invoked through the getOperatorRefundForTx(transactionIndex) function. https://github.com/code-423n4/2023-10-zksync/blob/24b4b0c1ea553106a194ef36ad4eb05b3b50275c/code/system-contracts/bootloader/bootloader.yul#L918C38-L918C78

Subsequently, in the calculation of the final refundGas, the reservedGas is added to this value. This ensures that any extra gas supplied by the user is included in the final refund calculation. https://github.com/code-423n4/2023-10-zksync/blob/24b4b0c1ea553106a194ef36ad4eb05b3b50275c/code/system-contracts/bootloader/bootloader.yul#L921

However, it's important to note that if a malicious operator deliberately provides an exceedingly large value as a refund, such as type(uint256).max, the refundGas will become equal to this large value. In cases where the reservedGas is nonzero, an overflow may occur when it is added to this inflated refundGas, causing the refundGas to reset to zero. https://github.com/code-423n4/2023-10-zksync/blob/24b4b0c1ea553106a194ef36ad4eb05b3b50275c/code/system-contracts/bootloader/bootloader.yul#L921

Consequently, having a refundGas of zero implies that the entire gasLimit will be directed towards the operator, contrary to the intended scenario where only gasLimit - refundGas should be allocated to the operator and the remaining refundGas designated for the user. https://github.com/code-423n4/2023-10-zksync/blob/24b4b0c1ea553106a194ef36ad4eb05b3b50275c/code/system-contracts/bootloader/bootloader.yul#L927

This manipulation by a malicious operator effectively results in the theft of the refund gas.

Tools Used

Recommended Mitigation Steps

To prevent the possibility of overflow, it is advisable to replace the use of the add function with the safeAdd function. This will ensure that the gas refund handling mechanism operates securely against potential vulnerabilities associated with integer overflow. https://github.com/code-423n4/2023-10-zksync/blob/24b4b0c1ea553106a194ef36ad4eb05b3b50275c/code/system-contracts/bootloader/bootloader.yul#L3249 https://github.com/code-423n4/2023-10-zksync/blob/24b4b0c1ea553106a194ef36ad4eb05b3b50275c/code/system-contracts/bootloader/bootloader.yul#L921

Assessed type

Under/Overflow

[c4-pre-sort]

bytes032 marked the issue as sufficient quality report

[c4-pre-sort]

bytes032 marked the issue as primary issue

[miladpiri]

Valid finding. Medium is fair.

[c4-sponsor]

miladpiri (sponsor) confirmed

[c4-judge]

GalloDaSballo marked the issue as satisfactory

[c4-judge]

GalloDaSballo marked issue #255 as primary and marked this issue as a duplicate of 255