First Flight #4: Boss Bridge

First Flight #4

Beginner FriendlyFoundryBridge

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

TokenFactory.sol - create - L2 contracts should be deployed using the bytecode hash, not the full contract bytecode

0xrektified

Summary

As the documentation shows, the TokenFactory.sol will be deployed on ZkSync

- Chain(s) to deploy contracts to:

- Ethereum Mainnet:

- L1BossBridge.sol

- L1Token.sol

- L1Vault.sol

- TokenFactory.sol

- ZKSync Era:

-> - TokenFactory.sol

- Tokens:

- L1Token.sol (And copies, with different names & initial supplies)

But the create assembly operation should use a bytecode hash instead of the full bytecode

L2 contracts are deployed by bytecode hash, not by full bytecode
Factory dependencies - list of bytecode hashes that can be deployed on L2 Address derivation for create/create2 on L1 and L2 is different

Source:

https://era.zksync.io/docs/reference/architecture/contract-deployment.html#ethereum-zksync-differences-in-contract-deployment

https://github.com/code-423n4/2022-10-zksync

Vulnerability Details

DeployToken will fail on L2

function testAddToken() public {

vm.prank(owner);

-> address tokenAddress = tokenFactory.deployToken("TEST", type(L1Token).creationCode);

assertEq(tokenFactory.getTokenAddressFromSymbol("TEST"), tokenAddress);

}

Impact

Contract deployment will fail in the factory

Tools Used

Zksync doc

Recommendations

On zkSync Era, contract deployment is performed using the hash of the bytecode, and the factoryDeps field of EIP712 transactions contains the bytecode. The actual deployment occurs by providing the contract's hash to the ContractDeployer system contract.

To guarantee that create/create2 functions operate correctly, the compiler must be aware of the bytecode of the deployed contract in advance. The compiler interprets the calldata arguments as incomplete input for ContractDeployer, as the remaining part is filled in by the compiler internally.

https://era.zksync.io/docs/reference/architecture/differences-with-ethereum.html#create-create2

Updates

Lead Judging Commences

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

deployToken(): zksync compatibility issues

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.