search

sherlock-audit / 2024-09-symmio-v0-8-4-update-contest-judging

0 stars 0 forks source link

AuditorPraise - create2 works differently on ZkSync Era #16

Open sherlock-admin3 opened 1 week ago

sherlock-admin3 commented 1 week ago

AuditorPraise

Medium

create2 works differently on ZkSync Era

Summary

According to contest readme, issues related to any evm chain is in-scope for this contest.

On what chains are the smart contracts going to be deployed?

Any EVM-compatible network

create2 works differently on ZkSync Era

Root Cause

https://github.com/sherlock-audit/2024-09-symmio-v0-8-4-update-contest/blob/main/protocol-core/contracts/multiAccount/MultiAccount.sol#L179 create2 works differently on ZkSync Era, it cannot be used for arbitrary code unknown to the compiler. zkSynce Era Docs)

The below code snippet won't function correctly because the compiler is not aware of the bytecode beforehand

function _deployContract(bytes memory bytecode, bytes32 salt) internal returns (address contractAddress) {
        assembly {
            contractAddress := create2(0, add(bytecode, 32), mload(bytecode), salt)//@audit-issue create2 works differently on zksync
        }
        require(contractAddress != address(0), "MultiAccount: create2 failed");
        emit DeployContract(msg.sender, contractAddress);
        return contractAddress;
    }

MultiAccount._deployContract() is used by _deployPartyA() which is used by addAccount()

Due to not letting the compiler know of bytecode by using type(myContract).creationCode to generate the bytecode, MultiAccount.addAccount() won't be able to deploy partyA accounts on zksync chain.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

MultiAccount.addAccount() won't be able to deploy partyA accounts on zksync chain due to how create2 is used

PoC

No response

Mitigation

Use type(myContract).creationCode to generate the bytecode for the create2, that way compiler is aware of the bytecode beforehand