Open c4-bot-4 opened 5 months ago
alex-ppg marked the issue as primary issue
saxenism (sponsor) confirmed
We confirm this finding. Thank you :)
Just adding a little more context here:
The deposits will fail but user can call claimFailedDeposit to get funds back. We have failed to assign the l1LegacyBridge, but that does not pose a security risk since the l1Bridge should work as expected and therefore, the finalizeDeposit function still has a way to work. However, yes, this is an issue because this breaks our intended behaviour.
The Warden has demonstrated how a missing assignment will result in legacy transactions failing to finalize. The impact is constrained to legacy transactions, and as it is possible for users to recover their failed deposits the impact is impermanent resulting in a severity of medium being appropriate.
alex-ppg marked the issue as satisfactory
alex-ppg marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2024-03-zksync/blob/4f0ba34f34a864c354c7e8c47643ed8f4a250e13/code/contracts/zksync/contracts/bridge/L2SharedBridge.sol#L68
Vulnerability details
Vulnerability details
The migration steps for
L1ERC20Bridge/L2ERC20Bridge
are as follows:https://github.com/code-423n4/2024-03-zksync/blob/main/docs/Protocol%20Section/Migration%20process.md
Since
L2ERC20Bridge
will be updated first, and thenL1ERC20Bridge
will be updated,L2SharedBridge
needs to be compatible with the oldL1ERC20Bridge
beforeL1ERC20Bridge
is updated.So in
L2SharedBridge.initialize()
we need to setl1LegacyBridge = L1ERC20Bridge
andfinalizeDeposit()
to allowl1LegacyBridge
to execute.But the current implementation doesn't set
l1LegacyBridge
, it's alwaysaddress(0)
.The above method just checks
_l1LegecyBridge ! = address(0)
, and does not assign a value,l1LegacyBridge
is alwaysadddress(0)
.This way any messages sent by the user before update
L1ERC20Bridge
will fail becausefinalizeDeposit()
will not pass the validationImpact
Until
L1ERC20Bridge
is updated, messages sent by the user will fail.Recommended Mitigation
Assessed type
Context