Closed c4-bot-10 closed 4 months ago
saxenism (sponsor) disputed
Considered invalid, because l2TxHash
is a unique identifier
Based on the rationale laid out in #15 this exhibit is invalid. The l2TxHash
is a unique identifier, and thus an increment instead of an overwrite will not resolve the many issues that would arise from an l2TxHash
collision.
alex-ppg marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-zksync/blob/4f0ba34f34a864c354c7e8c47643ed8f4a250e13/code/contracts/ethereum/contracts/bridge/L1ERC20Bridge.sol#L154
Vulnerability details
Impact
Function
L1ERC20Bridge.deposit()
initiates a deposit by locking funds on the contract and sending the request of processing an L2 transaction where tokens would be minted. The amount of deposit is being assigned todepositAmount[msg.sender][_l1Token][l2TxHash]
mapping. However, callingdeposit()
does not increasedepositAmount[msg.sender][_l1Token][l2TxHash]
, but overwrites the old value ofdepositAmount[msg.sender][_l1Token][l2TxHash]
. This implies, that when user callsdeposit()
more than once - he will suffer for the fund loss, because the old value ofdepositAmount[msg.sender][_l1Token][l2TxHash]
will be overwritten by the new value.Proof of Concept
File: L1ERC20Bridge.sol
As demonstrated above,
depositAmount[msg.sender][_l1Token][l2TxHash]
is not increased by_amount
, but it is simply overwritten.deposit()
with_amount
set to 100.deposit()
again, with_amount
set to 50.depositAmount[msg.sender][_l1Token][l2TxHash]
should point to 150 (100 from the first call + 50 from the second call).=
operator,depositAmount[msg.sender][_l1Token][l2TxHash]
actually points to 50 (call from the 2. stage overwrote the_amount
set during the 1. stage).depositAmount[msg.sender][_l1Token][l2TxHash]
points that his deposit is only 50, while he deposited 150.Tools Used
Manual code review
Recommended Mitigation Steps
Change:
to:
Assessed type
Context