Closed c4-submissions closed 11 months ago
141345 marked the issue as low quality report
Invalid - bootloader address is always hardcoded to the same address 0x8001.
miladpiri (sponsor) disputed
GalloDaSballo marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-10-zksync/blob/1fb4649b612fac7b4ee613df6f6b7d921ddd6b0d/code/system-contracts/contracts/libraries/TransactionHelper.sol#L395
Vulnerability details
Impact
The payToTheBootloader function potentially has a vulnerability as it blindly forwards a specified amount of ETH to the BOOTLOADER_FORMAL_ADDRESS. This can pose a security risk if not properly constrained. If an attacker can control the value of _transaction.maxFeePerGas and _transaction.gasLimit, it may lead to financial vulnerabilities, including potential ETH theft or misuse.
Proof of Concept
The payToTheBootloader function sends an amount of ETH to the BOOTLOADER_FORMAL_ADDRESS without any checks on the validity of the address or the amount. Here's a simplified version of the function:
This code does not check if the BOOTLOADER_FORMAL_ADDRESS is a valid address, and it blindly sends the calculated amount.
Tools Used
Manual
Recommended Mitigation Steps
To enhance the security of this function, it's crucial to add checks to ensure that the destination address (BOOTLOADER_FORMAL_ADDRESS) is a valid and expected address. Additionally, it should limit the amount sent based on certain constraints, such as a maximum limit or a pre-defined cap.
Assessed type
ETH-Transfer