Biconomy: Nexus
Biconomy
HardhatFoundry
30,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Create2 Opcode works differently in zkSync

MSaptarshi007

Summary

zkSync Era chain has differences in the usage of the create / create2 opcode compared to the EVM.

Vulnerability Details

The project doesn't explicitly mention that they are compatible in zkSync but since they have mentioned they are compatible in any EVM , so thought it might be fair to mention this.

  1. The description of CREATE and CREATE2 (https://docs.zksync.io/build/developer-reference/ethereum-differences/evm-instructions#create-create2) states that Create cannot be used for arbitrary code unknown to the compiler.

createAccount function uses Solady's LibClone:createDeterminitic1967 function: for creation of a Nexus account with a specific initialization data, One can check this lines for more information

https://github.com/Cyfrin/2024-07-biconomy/blob/d2adadc0f3105eb789329eb3c958472638692a2d/contracts/factory/K1ValidatorFactory.sol#L76

https://github.com/Cyfrin/2024-07-biconomy/blob/d2adadc0f3105eb789329eb3c958472638692a2d/contracts/factory/NexusAccountFactory.sol#L44

https://github.com/Cyfrin/2024-07-biconomy/blob/d2adadc0f3105eb789329eb3c958472638692a2d/contracts/factory/RegistryFactory.sol#L79

As mentioned by the zkSync docs: "The code will not function correctly because the compiler is not aware of the bytecode beforehand".

This will result in loss of funds, since there is a fee to create a new instances, hence all the creating instances function is made payable.

  1. This might will also be a problem when computing the address on zkSync era , since the create2 opcode address is computed differently in zkSync

    https://github.com/Cyfrin/2024-07-biconomy/blob/d2adadc0f3105eb789329eb3c958472638692a2d/contracts/factory/RegistryFactory.sol#L145

Impact

Medium: since mostly will be DOS (because no instances can be created in zkSYNC) + loss of funds since they are payable

Tools Used

Manual Review

Recommendations

Try using create2opcode directly or the other possible ways as mentioned in the zk sync docs

Additionally i would also suggest to have a way to recover the lost funds if by any chance a deployment fails

Updates

Lead Judging Commences

0xnevi Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-zksync-create-create2-opcode

Valid medium, since there is non-functionality on zkSync (cannot create accounts) since it is stated as follows > Blockchains: > - Ethereum/Any EVM

Appeal created

MSaptarshi007 Submitter
11 months ago
0xnevi Lead Judge
11 months ago
MSaptarshi007 Submitter
11 months ago
0xnevi Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-zksync-create-create2-opcode

Valid medium, since there is non-functionality on zkSync (cannot create accounts) since it is stated as follows > Blockchains: > - Ethereum/Any EVM

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.