First Flight #19: Mondrian Wallet v2
First Flight #19
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

payForTransaction is not protected from unauthorized callers

agent3bood

Summary

The payForTransaction can be called externally by anybody, an attacker can use this function to transfer all eth from the wallet to the system bootloader denying the user form his funds.

Vulnerability Details

An attacker can send a transaction with values in _transaction.maxFeePerGas and _transaction.gasLimit that will cause the wallet to transfer all eth to the system.

payForTransaction will call _transaction.payToTheBootloader(); which in turn does not have any checks and just transfer amount.

function payToTheBootloader(Transaction memory _transaction) internal returns (bool success) {
address bootloaderAddr = BOOTLOADER_FORMAL_ADDRESS;
uint256 amount = _transaction.maxFeePerGas * _transaction.gasLimit;
assembly {
success := call(gas(), bootloaderAddr, amount, 0, 0, 0, 0)
}
}

Impact

Deny the user from using his funds in the wallet by transferring it to the system.

Tools Used

Manual review

https://code.zksync.io/tutorials/native-aa-multisig#paying-fees-for-the-transaction

Recommendations

Add requireFromBootLoader modifier.

function payForTransaction(bytes32, /*_txHash*/ bytes32, /*_suggestedSignedHash*/ Transaction memory _transaction)
external
payable
requireFromBootLoader
{
bool success = _transaction.payToTheBootloader();
if (!success) {
revert MondrianWallet2__FailedToPay();
}
}
Updates

Lead Judging Commences

bube Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Lack of access control in payForTransaction function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.