Users will not be able to withdraw their ETH on zksync
Line Of Code*
https://github.com/Cyfrin/2024-08-tadle#compatibilities
Summary
Use of .transfer, while not advisable, still works on almost all EVMs. However, since the protocol plans on deploying on any EVM compatible chain, and that includes zksync, users will not be able to withdraw their ETH there as the .transfer opcode doesn't work there.
Vulnerability Details
For context, the codebase is going to be deployed on any EVM and and also works with ETH.
TokenManager.sol uses the .transfer opcode to handle ETH transfer when withdrawing ETH, which according to the bot report is not advisable, due to the gas being sent is not enough. However, on most chains, this will still work, especially if the recipients are EOAs or don't require as much gas.
On zksync however, due to its gas dynamic meterring, .transfer does not work at all. More information about this can be found here. Note that this is not due to a future increase in opcodes costs.
Impact
Since withdraw is the way for users to get their tokens out of the protcol, on zksync, users will not be able to withdraw their ETH leading to loss of funds.
Tools Used
Manual Review
Recommendations
Use .call instead or allow transfer of wrapped native token.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.