Closed c4-bot-1 closed 4 months ago
Invalid, because just the verifierParams
are not updated.
saxenism (sponsor) disputed
As demonstrated above, when either of the parameter is bytes32(0) - function BaseZkSyncUpgrade._setVerifierParams()
1) The function will return, when all of the parameters are bytes32(0).
2) The function _setVerifierParams()
is a private function called within the _upgradeVerifier
parent internal function frame, hence on return, the function will jump back to its parent function frame. The execution will still continue.
The Warden specifies that a chain ID upgrade may fail when a single empty verifier parameter is configured.
As the Sponsor claims and the code confirms, all parameters will have to be 0
for the early return
to trigger in verifier parameter configurations. Additionally, the return
does not "bubble up" and cause execution to halt; the BaseZkSyncUpgrade::_setVerifierParams
function will simply return early and the code will continue execution as expected. As such, this exhibit is considered invalid.
alex-ppg marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-zksync/blob/4f0ba34f34a864c354c7e8c47643ed8f4a250e13/code/contracts/ethereum/contracts/state-transition/StateTransitionManager.sol#L202-L217 https://github.com/code-423n4/2024-03-zksync/blob/4f0ba34f34a864c354c7e8c47643ed8f4a250e13/code/contracts/ethereum/contracts/upgrades/BaseZkSyncUpgrade.sol#L147-L157
Vulnerability details
Impact
Function
StateTransitionManager._setChainIdUpgrade()
which is responsible for upgrading chainId, setsVerifierParams
with the values which won't be accepted byBaseZkSyncUpgrade._setVerifierParams()
function. Because of that - upgrading chainId won't be possible.Proof of Concept
File: StateTransitionManager.sol
As demonstrated above, function
StateTransitionManager._setChainIdUpgrade()
setsVerifierParams
to:However, those params won't be accepted by
BaseZkSyncUpgrade._setVerifierParams()
function.File: BaseZkSyncUpgrade.sol
As demonstrated above, when either of the parameter is
bytes32(0)
- functionBaseZkSyncUpgrade._setVerifierParams()
will return, instead of continuing executing and updatingVerifierParams
.The flow can be summarized as below:
StateTransitionManager._setChainIdUpgrade()
setsrecursionNodeLevelVkHash
,recursionLeafLevelVkHash
,recursionCircuitsSetVksHash
tobytes32(0)
.BaseZkSyncUpgrade._setVerifierParams()
- lines 147-153:_newVerifierParams.recursionNodeLevelVkHash == bytes32(0) && _newVerifierParams.recursionLeafLevelVkHash == bytes32(0) && _newVerifierParams.recursionCircuitsSetVksHash == bytes32(0)
condition is fulfilled, thus function returns, instead of upgradingVerifierParams
.This leads to the conclusion, that it's not possible to upgrade chainId, because
StateTransitionManager._setChainIdUpgrade()
setsVerifierParams
to thebytes32(0)
, and according toBaseZkSyncUpgrade._setVerifierParams()
- those parameters cannot be empty.Tools Used
Manual code review
Recommended Mitigation Steps
When calling
StateTransitionManager._setChainIdUpgrade()
, make sure thatVerifierParams
(recursionNodeLevelVkHash
,recursionLeafLevelVkHash
,recursionCircuitsSetVksHash
) are not empty and set them to the values accepted byBaseZkSyncUpgrade._setVerifierParams()
.Assessed type
Invalid Validation