Open c4-bot-3 opened 9 months ago
DadeKuma marked the issue as primary issue
Pending transactions in mempool might break the max supply invariant
DadeKuma marked the issue as sufficient quality report
lumtis (sponsor) confirmed
0xean marked the issue as satisfactory
0xean marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2023-11-zetachain/blob/b237708ed5e86f12c4bddabddfd42f001e81941a/repos/node/zetaclient/zeta_supply_checker.go#L221
Vulnerability details
Impact
The Zeta token supply checker delivers false positives, suggesting that there is a Zeta token supply mismatch.
Proof of Concept
The
GetPendingCCTXInTransit
function in theZetaSupplyChecker
is supposed to return all cctxs that are currently in transit, i.e., cctxs that are pending and soon to be sent to the receiving chains. These pending cctx's are then used to determine the amount of in-transit Zeta tokens (zetaInTransit
), subsequently used in theValidateZetaSupply
function to check and validate the Zeta token supply.Internally, the
GetPendingCCTXInTransit
function queries all pending cctxs for thereceivingChains
from the ZetaChain RPC in line210
. Thereafter, the cctxs are filtered in lines221-233
by removing all cctxs that have been added to theOutTxTracker
.The reasoning for this is that once a cctx has been broadcasted to the receiver chain by the observers, the cctx is added to the
OutTxTracker
. As a result, the cctx is no longer considered to be in transit, the Zeta token supply on the receiver chain is updated (via minting or unlocking) and the update Zeta token supply is either included in theethLockedAmount
orexternalChainTotalSupply
.However, the assumption that when a cctx is broadcasted to the receiver chain and included in the
OutTxTracker
, the cctx is no longer in transit is only partially correct. Once the transaction is broadcasted, it first stays in the EVM mempool until it is included in a block. Only then, the transaction is executed in the EVM, the state transition is applied and the Zeta token supply updated.Consequently, the in-transit Zeta token is not correctly tracked, and the supply checker can not correctly validate the Zeta token supply.
Tools Used
Manual review
Recommended mitigation steps
I'm not entirely sure how to fix this issue and if it's even viable to do so. Rather, the supply checker should be allowed to work with a margin of error, i.e., the supply checker should be allowed to be off by a certain amount of Zeta tokens.
Assessed type
Other