Closed c4-bot-7 closed 4 months ago
alex-ppg marked the issue as primary issue
saxenism marked the issue as disagree with severity
We consider this issue QA at best because these functions are not really needed for the initial version and are already fixed.
razzorsec (sponsor) confirmed
razzorsec (sponsor) acknowledged
The Warden specifies how functions implemented are currently not integrated by the state transition manager despite what their access control implies.
These functions mutate variables that are not utilized within the project, meaning that the maximum impact of such an exhibit is QA.
alex-ppg marked the issue as unsatisfactory: Overinflated severity
Lines of code
https://github.com/code-423n4/2024-03-zksync/blob/4f0ba34f34a864c354c7e8c47643ed8f4a250e13/code/contracts/ethereum/contracts/state-transition/chain-deps/facets/Admin.sol#L51 https://github.com/code-423n4/2024-03-zksync/blob/4f0ba34f34a864c354c7e8c47643ed8f4a250e13/code/contracts/ethereum/contracts/state-transition/chain-deps/facets/Admin.sol#L58
Vulnerability details
Impact
Key Admin facet functions(
setPorterAvailability
,setPriorityTxMaxGasLimit
) are invalidated, due to vulnerable access-control implementationsProof of Concept
Key admin facet functions such as
setPorterAvailability
andsetPriorityTxMaxGasLimit
are nowonlyStateTransitionManager
controlled. However, (1) StateTransitionManger.sol is unable to callsetPorterAvailability
in any flows. (2) StateTransitionManger.sol is unable to changePriorityTxMaxGasLimit
if needed.(1)
s.zkPorterIsAvailable
on Admin facet is not initializable in DiamondInit.sol. Neither is it callable by designated StateTransitionManger.sol because ST manager contract does not have any functions or flows that will invokesetPorterAvailability
. The result iss.zkPorterIsAvailable
will always be default false value and cannot be set or reset if needed.(https://github.com/code-423n4/2024-03-zksync/blob/4f0ba34f34a864c354c7e8c47643ed8f4a250e13/code/contracts/ethereum/contracts/state-transition/chain-deps/facets/Admin.sol#L51) (2) Although
s.priorityTxMaxGasLimit
is initializalbe by DiamondInit.sol, it is not callable by StateTransitionManager.sol due to the contract doesn't have methods or flows to call it. As a result,s.priorityTxMaxGasLimit
cannot be changed if needed.(https://github.com/code-423n4/2024-03-zksync/blob/4f0ba34f34a864c354c7e8c47643ed8f4a250e13/code/contracts/ethereum/contracts/state-transition/chain-deps/facets/Admin.sol#L58)
In addition,
setValidator()
in Admin.sol is also not callable by StateTransitionMager or chain Admin to change the ValidatorTimelock contract if needed.Tools Used
Manual
Recommended Mitigation Steps
Consider adding related methods to update chain-specific
s.zkPorterIsAvailable
ands.priorityTxMaxGasLimit
in StateTransitionManger.sol, to allow StateTransitionManger's owner to call an ST to change these parameters when needed.Assessed type
Other