search

code-423n4 / 2024-03-zksync-findings

1 stars 1 forks source link

No way to retrieve ETH from the contract: #117

Closed c4-bot-6 closed 5 months ago

c4-bot-6 commented 6 months ago

Lines of code

https://github.com/code-423n4/2024-03-zksync/blob/main/code/system-contracts/contracts/GasBoundCaller.sol#L15 https://github.com/code-423n4/2024-03-zksync/blob/main/code/contracts/ethereum/contracts/state-transition/chain-deps/DiamondProxy.sol#L10 https://github.com/code-423n4/2024-03-zksync/blob/main/code/system-contracts/contracts/Compressor.sol#L22 https://github.com/code-423n4/2024-03-zksync/blob/main/code/system-contracts/contracts/EmptyContract.sol#L10 https://github.com/code-423n4/2024-03-zksync/blob/main/code/system-contracts/contracts/L2BaseToken.sol#L18

Vulnerability details

The following contracts contain at least one payable function, yet the function does not utilise forwarded ETH, and the contract is missing functionality to withdraw ETH from the contract. This means that funds may become trapped in the contract indefinitely. Consider adding a withdraw/sweep function to contracts that are capable of receiving ether.

File: contracts/GasBoundCaller.sol
15      contract GasBoundCaller {

https://github.com/code-423n4/2024-03-zksync/blob/main/code/system-contracts/contracts/GasBoundCaller.sol#L15

File: contracts/ethereum/contracts/state-transition/chain-deps/DiamondProxy.sol
10      contract DiamondProxy {

https://github.com/code-423n4/2024-03-zksync/blob/main/code/contracts/ethereum/contracts/state-transition/chain-deps/DiamondProxy.sol#L10

File: system-contracts/contracts/Compressor.sol
22      contract Compressor is ICompressor, ISystemContract {

https://github.com/code-423n4/2024-03-zksync/blob/main/code/system-contracts/contracts/Compressor.sol#L22

File: system-contracts/contracts/EmptyContract.sol
10      contract EmptyContract {

https://github.com/code-423n4/2024-03-zksync/blob/main/code/system-contracts/contracts/EmptyContract.sol#L10

File: system-contracts/contracts/L2BaseToken.sol
18      contract L2BaseToken is IBaseToken, ISystemContract {

https://github.com/code-423n4/2024-03-zksync/blob/main/code/system-contracts/contracts/L2BaseToken.sol#L18

Assessed type

Other

c4-sponsor commented 6 months ago

saxenism (sponsor) acknowledged

c4-sponsor commented 6 months ago

saxenism marked the issue as disagree with severity

saxenism commented 6 months ago

We think this is a QA issue since Compressor does not need to be payable, some are invalid like gas bound caller

alex-ppg commented 5 months ago

The Warden specifies that some contracts that accept ether do not expose a mechanism to extract it out of them, however, some of the referenced contracts actively use native funds. Such submissions are better suited as part of QA reports due to relying on accidental transfers (i.e. conditional on user mistake) and the loss thereof.

c4-judge commented 5 months ago

alex-ppg marked the issue as unsatisfactory: Overinflated severity