c4-pre-sort
commented
1 year ago bytes032 marked the issue as duplicate of #72
Closed c4-submissions closed 1 year ago
c4-pre-sort
commented
1 year ago bytes032 marked the issue as duplicate of #72
c4-judge
commented
1 year ago GalloDaSballo changed the severity to QA (Quality Assurance)
itsmetechjay
commented
11 months ago Per the judge's request, marking as grade-C.
Lines of code
https://github.com/code-423n4/2023-10-zksync/blob/main/code/system-contracts/bootloader/bootloader.yul#L2516
Vulnerability details
Impact
In the bootloader contract, the string literal
“Failed publish timestamp data to L1”is used as an input to thedebugLogfunction. It exceeds the 32-byte limit for string literals in Yul, which leads to a compile error with the solc Solidity compiler. The usage of another compiler might lead to a similar error or silently discard parts of the string.Proof of Concept
By converting the string literal to bytes it can be seen that the length is 35 bytes. This is greater than the 32-byte limit. This could lead to futher issues when the server attempts to observe the behavior of the system.
Tools Used
Manual review
Recommended Mitigation Steps
To avoid any possible compiler, runtime issues and server side issues, consider making the string shorter by removing or abbreviating some of the words.
Assessed type
Other