Biconomy: Nexus
Biconomy
HardhatFoundry
30,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Create2 Opcode works differently in zkSync

MSaptarshi007

Summary

zkSync Era chain has differences in the usage of the create / create2 opcode compared to the EVM.

Vulnerability Details

The project doesn't explicitly mention that they are compatible in zkSync but since they have mentioned they are compatible in any EVM , so thought it might be fair to mention this.

  1. The description of CREATE and CREATE2 (https://docs.zksync.io/build/developer-reference/ethereum-differences/evm-instructions#create-create2) states that Create cannot be used for arbitrary code unknown to the compiler.

createAccount function uses Solady's LibClone:createDeterminitic1967 function: for creation of a Nexus account with a specific initialization data, One can check this lines for more information

https://github.com/Cyfrin/2024-07-biconomy/blob/d2adadc0f3105eb789329eb3c958472638692a2d/contracts/factory/K1ValidatorFactory.sol#L76

https://github.com/Cyfrin/2024-07-biconomy/blob/d2adadc0f3105eb789329eb3c958472638692a2d/contracts/factory/NexusAccountFactory.sol#L44

https://github.com/Cyfrin/2024-07-biconomy/blob/d2adadc0f3105eb789329eb3c958472638692a2d/contracts/factory/RegistryFactory.sol#L79

As mentioned by the zkSync docs: "The code will not function correctly because the compiler is not aware of the bytecode beforehand".

This will result in loss of funds, since there is a fee to create a new instances, hence all the creating instances function is made payable.

  1. This might will also be a problem when computing the address on zkSync era , since the create2 opcode address is computed differently in zkSync

    https://github.com/Cyfrin/2024-07-biconomy/blob/d2adadc0f3105eb789329eb3c958472638692a2d/contracts/factory/RegistryFactory.sol#L145

Impact

Medium: since mostly will be DOS (because no instances can be created in zkSYNC) + loss of funds since they are payable

Tools Used

Manual Review

Recommendations

Try using create2opcode directly or the other possible ways as mentioned in the zk sync docs

Additionally i would also suggest to have a way to recover the lost funds if by any chance a deployment fails

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-zksync-create-create2-opcode

Valid medium, since there is non-functionality on zkSync (cannot create accounts) since it is stated as follows > Blockchains: > - Ethereum/Any EVM

Appeal created

MSaptarshi007 Submitter
about 1 year ago
0xnevi Lead Judge
about 1 year ago
MSaptarshi007 Submitter
about 1 year ago
0xnevi Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-zksync-create-create2-opcode

Valid medium, since there is non-functionality on zkSync (cannot create accounts) since it is stated as follows > Blockchains: > - Ethereum/Any EVM

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.