Closed c4-bot-9 closed 4 months ago
saxenism (sponsor) disputed
This is invalid, because this mechanism is by design and anyone can create their own token. Also we wanted to prevent footguns.
The Warden specifies that misbehavior may arise from the legacy L1WethBridge
contract interacting with the Mailbox
. Per the Sponsor's comments in #35, the L1WethBridge
has not been deployed on the main-net and thus is not considered an active threat to the protocol in a production environment.
Regardless of this, I do not believe the outlined behavior constitutes a vulnerability as the security check of the L1SharedBridge
is a rudimentary security measure meant to protect against misuse rather than the integrity or security of the contract. A user going through the hoops described to interact with the L1SharedBridge
in an insecure manner for themselves cannot be considered a vulnerability.
alex-ppg marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-zksync/blob/4f0ba34f34a864c354c7e8c47643ed8f4a250e13/code/contracts/ethereum/contracts/bridge/L1SharedBridge.sol#L194 https://github.com/code-423n4/2024-03-zksync/blob/4f0ba34f34a864c354c7e8c47643ed8f4a250e13/code/contracts/ethereum/contracts/state-transition/chain-deps/facets/Mailbox.sol#L206
Vulnerability details
Impact
L1SharedBridge's restriction on Weth deposit can be bypassed. Deprecated L1WethBridge.sol can still interact with Mailbox to deposit WETH on L2.
Proof of Concept
At current hyperchain upgrade, L1WethBridge and L2WethBrdige will be deprecated.
L1SharedBridge.sol has checks to ensure that weth deposit is not allowed in
bridgehubDeposit()
(_l1Token != l1WethAddress).This check can be bypassed. Notably the new Mailbox.sol still maintains legacy
requestL2Transaction()
for ERA chain, but it doesn't check whether thesender
is the L1Wethbridge address. As a result, users can still call L1Wethbridgedeposit()
which calls the new Mailbox'srequestL2Transaction
to deposit Weth. And tx will go through because the lack of checks on Weth bridge addresses on Mailbox.(https://github.com/code-423n4/2024-03-zksync/blob/4f0ba34f34a864c354c7e8c47643ed8f4a250e13/code/contracts/ethereum/contracts/state-transition/chain-deps/facets/Mailbox.sol#L206) Note that
_requestL2TransactionSender()
will simply put msg.sender which is L1Wethbrdige in this case asl2sender
and write priority op in_requestL2Transaction()
. Then,L1SharedBridge.bridgehubDepositBaseToken
will be called to deposit ETH for baseCost. The _l1Token != l1WethAddress check inbridgehubDeposit()
is bypassed completely.Tools Used
Manual
Recommended Mitigation Steps
In Mailbox, consider disallow deprecated L1WethBrdige deposit through
requestL2Transaction
by checking msg.sender is not L1WethBridge.Assessed type
Other