Open c4-bot-7 opened 5 months ago
We confirm the finding. It is good.
We however believe that this is a medium severity issue since this is a rarely used functionality.
saxenism marked the issue as disagree with severity
saxenism (sponsor) confirmed
The Warden has identified a discrepancy in the way paymaster refunds are processed for L2 transactions, resulting in an over-compensation that overlaps with the gas spent on public data.
The exhibit is correct, and I am not in complete agreement with the Sponsor's assessment in relation to the submission's severity. The referenced code will trigger if a paymaster has been defined, and I do not believe there is any constraint that permits a malicious user from always triggering the surplus refund and thus from slowly siphoning funds in the form of gas from the system.
As the flaw is always present and its impact is properly considered medium, I consider the combination of those two factors to merit a high severity rating.
alex-ppg marked the issue as satisfactory
alex-ppg marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2024-03-zksync/blob/4f0ba34f34a864c354c7e8c47643ed8f4a250e13/code/system-contracts/bootloader/bootloader.yul#L1591
Vulnerability details
Vulnerability details
A very important modification of this update is that the GAS spent by
pubdata
is collected at the final step of the transaction.But if there is a
paymaster
, when executingpaymaster.postTransaction(_maxRefundedGas)
_maxRefundedGas
does not subtract thespentOnPubdata
bootloader.yul
the code is as follow:paymaster's
_maxRefundedGas = gasLeft + reservedGas
, without subtractingspentOnPubdata
.This way
_maxRefundedGas
will be much larger than the correct valuepaymaster
will refund the usedspentOnPubdata
to the userImpact
paymaster
will refund thespentOnPubdata
already used by the userRecommended Mitigation
Assessed type
Context