Closed c4-bot-5 closed 4 months ago
saxenism (sponsor) disputed
The inclusion of tokens is currently permissioned and we do not support any non-standard implementation of ERC20s. This is an invalid
issue for us.
The Warden specifies that the L1ERC20Bridge
is incompatible with fee-on-transfer tokens and in general, any token that may transact less or more than the specified amount to the end-user. The impact of this is that the transaction will fail, and based on the Sponsor's clarification that they do not intend to support those tokens which the present code explicitly does, I consider this exhibit out-of-scope / better suited as part of an Analysis report.
alex-ppg marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2024-03-zksync/blob/4f0ba34f34a864c354c7e8c47643ed8f4a250e13/code/contracts/ethereum/contracts/bridge/L1ERC20Bridge.sol#L142-L144
Vulnerability details
description
there is a vulenrbaility arise in the function deposit in this line require(amount == _amount, "3T");,this line here where amount is the actual amount received by the shared bridge contract, and _amount is the amount the user intended to deposit. For tokens deducting fees on transfer, amount will be less than _amount, causing the transaction to revert, this This behavior can lead to failed deposit attempts for users attempting to bridge fee-on-transfer tokens, and resulting in a poor user experience and potential loss of funds due to transaction fees. Additionally, it restricts the usability of the bridge for a subset of tokens, reducing the contract's overall utility.
The bridge's inability to handle non-standard tokens limits its utility and flexibility, potentially excluding a range of tokens from being bridged.
the vulnerability is from that the contract fails to account for discrepancies between the intended deposit amount and the amount actually transferred when dealing with non-standard ERC20 tokens.
impact
this discrepancy could lead to failed transactions or incorrect bridging amounts being recorded, especially in tokens deducting fees on transfers.
Proof of Concept
i fuzz with scenario that simulate token transfers with a 1% fee deduction on each transactionand and the contract's logic was expected to transfer a specified amount to the shared bridge, and the fuzz test checked if the actual transferred amount matched the specified amount and get some result that the test not pass because the actual transferred amount (436.59 tokens) was less than the specified amount due to the 1% fee deduction, revealing that the contract does not handle non-standard token logic as expected.: Specified Deposit Amount: 441 tokens Simulated Transferred Amount (after 1% fee deduction): 436.59 tokens Expected by Contract (for a successful deposit): 441 tokens import random
so when a user attempts to deposit tokens into the bridge, expecting a 1:1 transfer, the actual amount that gets bridged is less than expected due to the fee deduction by the token. However, the contract checks for an exact match between the specified deposit amount and the transferred amount, leading to potential failures or incorrect bridging amounts being recorded.
Tools Used
manual review
Recommended Mitigation Steps
Assessed type
Other