Differences between ZKSync and Ethereum in handling contract deployment and address calculation
Summary
Differences between ZKSync and Ethereum in handling contract deployment and address calculation
Vulnerability Detail
According to the requirements of the project, this contract will be deployed on the l2 chain, which involves the create operation code. This is a problem in the zk network.
https://github.com/sherlock-audit/2024-08-flayer/tree/0ec252cf9ef0f3470191dcf8318f6835f5ef688c?tab=readme-ov-file#moongate
On Ethereum, it can be safely determined using the formula hash(RLP[address, nonce]). However, on ZKsync, it is advisable to wait until the contract is deployed and catch the ContractDeployed event emitted by the ContractDeployer, which provides the address of the newly deployed contract. The SDK handles all of these processes in the background to simplify the workflow.
// Deploy our new ERC20 token using Clone. We use the impending ID
// to clone in a deterministic fashion.
ICollectionToken collectionToken_ = ICollectionToken(
LibClone.cloneDeterministic(tokenImplementation, bytes32(_collectionCount))
);
/// @dev Deploys a deterministic clone of `implementation` with `salt`.
/// Deposits `value` ETH during deployment.
function cloneDeterministic(uint256 value, address implementation, bytes32 salt)
internal
returns (address instance)
{
/// @solidity memory-safe-assembly
assembly {
mstore(0x21, 0x5af43d3d93803e602a57fd5bf3)
mstore(0x14, implementation)
mstore(0x00, 0x602c3d8160093d39f33d3d3d3d363d3d37363d73)
instance := create2(value, 0x0c, 0x35, salt)
if iszero(instance) {
mstore(0x00, 0x30116425) // `DeploymentFailed()`.
revert(0x1c, 0x04)
}
mstore(0x21, 0) // Restore the overwritten part of the free memory pointer.
}
}
Tool used
Manual Review
Recommendation
Use reliable deployment tools and SDKs: For example, ensure that the ZKSync SDK or similar tools handle contract bytecode correctly.
Tart Laurel Starling
Medium
Differences between ZKSync and Ethereum in handling contract deployment and address calculation
Summary
Differences between ZKSync and Ethereum in handling contract deployment and address calculation
Vulnerability Detail
According to the requirements of the project, this contract will be deployed on the l2 chain, which involves the create operation code. This is a problem in the zk network. https://github.com/sherlock-audit/2024-08-flayer/tree/0ec252cf9ef0f3470191dcf8318f6835f5ef688c?tab=readme-ov-file#moongate On Ethereum, it can be safely determined using the formula hash(RLP[address, nonce]). However, on ZKsync, it is advisable to wait until the contract is deployed and catch the ContractDeployed event emitted by the ContractDeployer, which provides the address of the newly deployed contract. The SDK handles all of these processes in the background to simplify the workflow.
Impact
https://docs.zksync.io/build/developer-reference/ethereum-differences/evm-instructions#create-create2
Code Snippet
https://github.com/sherlock-audit/2024-08-flayer/blob/0ec252cf9ef0f3470191dcf8318f6835f5ef688c/flayer/src/contracts/Locker.sol#L311-L313
Tool used
Manual Review
Recommendation
Use reliable deployment tools and SDKs: For example, ensure that the ZKSync SDK or similar tools handle contract bytecode correctly.