Preservation of msg.sender in ZkSync could break certain trust assumption
Summary
This is about a potential security vulnerability when using ZkSync, a layer-2 scaling solution for Ethereum. The vulnerability is related to msg.sender, which is preserved for L1 -> L2 calls. This means that if someone deploys a smart contract wallet on both Ethereum and ZkSync, and someone else tries to take ownership of the address on Ethereum, they might be able to impersonate the owner of the wallet on ZkSync.
Vulnerability Details
This is about a potential security vulnerability when using ZkSync, a layer-2 scaling solution for Ethereum. The vulnerability is related to msg.sender, which is preserved for L1 -> L2 calls. This means that if someone deploys a smart contract wallet on both Ethereum and ZkSync, and someone else tries to take ownership of the address on Ethereum, they might be able to impersonate the owner of the wallet on ZkSync.
Impact
Impersonating a valid signer to get into the contract
Tools Used
manual review, solodit
Recommendations
To prevent this issue, it is recommended to use only EOAs (non-contract accounts) when interacting with ZkSync, as only the owner with the private key of the EOA can control the EOA on any EVM chain. If Connext plans to support ZkSync, it is recommended to add a disclaimer/comment informing users about the risks and asking them to verify that they have ownership of the address in both Ethereum and ZkSync before proceeding to interact with ZkSync.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.