Open c4-submissions opened 11 months ago
Good catch
bytes032 marked the issue as primary issue
141345 marked the issue as sufficient quality report
miladpiri (sponsor) confirmed
The Warden has shown how, due to a constant enforcement on version hashes, future hash versions would fail the check
GalloDaSballo marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2023-10-zksync/blob/1fb4649b612fac7b4ee613df6f6b7d921ddd6b0d/code/era-zkevm_circuits/src/code_unpacker_sha256/mod.rs#L208-L210
Vulnerability details
Impact
In code unpacker, version hash is not correctly enforced.
Proof of Concept
In code unpacker, we enforce that version hash is correct.
The second line means, if version hash matches, state_get_from_queue must be true. But this is not what we want. The logic should be, if we are getting from queue, version hash must match. Otherwise, even if version hash is incorrect, this line passes as no constraint is actually enforced.
Let's take a closer look at fn conditionally_enforce_true, bool should_enforce is the third parameter.
Tools Used
Manual
Recommended Mitigation Steps
version_hash_matches.conditionally_enforce_true(cs, state.state_get_from_queue);
Assessed type
Context