search

code-423n4 / 2024-03-zksync-findings

2 stars 1 forks source link

Inconsistent behavior in forking #79

Closed c4-bot-8 closed 6 months ago

c4-bot-8 commented 7 months ago

Lines of code

https://github.com/code-423n4/2024-03-zksync/blob/main/code/system-contracts/bootloader/bootloader.yul#L1

Vulnerability details

Impact

Hey there, I was testing the functionalities of L2 smart contract using yarn test-node, and forking with foundry. And apparently there is some inconsistency in reading the code length of some addresses.

Proof of Concept

ethereum:

  1. get the url https://rpc.ankr.com/eth
  2. run cast code 0x0000000000000000000000000000000000000000 --rpc-url https://rpc.ankr.com/eth This will give us 0x.
  3. run cast codesize 0x0000000000000000000000000000000000000000 --rpc-url https://rpc.ankr.com/eth This will give us 0

zksync:

  1. run yarn test-node This will give us the RPC URL (In this case 127.0.0.1:8011)
  2. run cast code 0x0000000000000000000000000000000000000000 --rpc-url http://127.0.0.1:8011 This will give us '0x0000000101200190000000040000c13d0000000001000019000000110001042e0000008001000039000000400010043f0000000001000416000000000101004b0000000e0000c13d0000002001000039000001000010044300000120000004430000000501000041000000110001042e000000000100001900000012000104300000001000000432000000110001042e0000001200010430000000000000000000000002000000000000000000000000000000400000010000000000000000004d1f25f776f5b2892f4915d389c969ce225b4c569dea7e9e04c0df9bf1530f2a'
  3. run cast codesize 0x0000000000000000000000000000000000000000 --rpc-url http://127.0.0.1:8011 This will give us 224

Because fork testing in foundry relies on eth_getCode the code will read the underlying bytecode of that address, without going through the bootloader which handle the odd behavior that zksync has.

This also applies for other address, such ass precompile 0x01 ecrecover, and the other.

Tools Used

Foundry

Assessed type

Other

c4-sponsor commented 7 months ago

saxenism (sponsor) confirmed

c4-sponsor commented 7 months ago

saxenism (sponsor) disputed

c4-sponsor commented 7 months ago

saxenism (sponsor) confirmed

c4-sponsor commented 7 months ago

saxenism (sponsor) disputed

alex-ppg commented 6 months ago

The Warden describes a toolkit misbehavior relying on foundry which is considered Out-of-Scope as this misbehavior has not been properly correlated or attached to any in-scope code of the contest.

c4-judge commented 6 months ago

alex-ppg marked the issue as unsatisfactory: Out of scope