Era

ZKsync

FoundryLayer 2

500,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Inadequate length check for IAssetRouterBase.finalizeDeposit.Selector in function _parseL2WithdrawalMessage

newspacexyz

Summary:

The _parseL2WithdrawalMessage(L1Nullifier.sol) function incorrectly validates the length of the message when handling the IAssetRouterBase.finalizeDeposit.selector condition. The function expects the data to be at least 68 bytes to parse successfully, but the length check currently only ensures a minimum of 36 bytes. This discrepancy may lead to unsafe reads and potential memory errors.
https://github.com/matter-labs/era-contracts/blob/9d0ffa4e846519e010329c58fb86e6f99d5e84ca/l1-contracts/contracts/bridge/L1Nullifier.sol#L608

Vulnerability Details:

The issue lies in the length check condition for the IAssetRouterBase.finalizeDeposit.selector:

The function includes the line:
if (_l2ToL1message.length < 36) {
revert WrongMsgLength(36, _l2ToL1message.length);
}
However, to read functionSignature, uint256 originChainId, and bytes32 assetId, the _l2ToL1message needs to be at least 68 bytes long:
- 4 bytes for functionSignature
- 32 bytes for originChainId
- 32 bytes for assetId
The existing check (< 36) is insufficient and could result in an out-of-bounds memory access during parsing, leading to potential vulnerabilities or unexpected behavior.

Impact:

If the length of _l2ToL1message is less than 68 but greater than 36, the current length check passes, allowing the function to proceed with reading fields from the message. However, this can result in an unknown error or undefined behavior when the function attempts to access memory beyond the available bytes. This gap in validation can make it difficult to identify the underlying issue, as the function could revert due to out-of-bounds reads without a clear diagnostic. The revert WrongMsgLength(36, _l2ToL1message.length) error only accounts for cases where the length is under 36, leading to potential confusion and debugging challenges when the message length falls within the 36-67 range.

Tools Used:

Recommendations:

Update the length check condition for the IAssetRouterBase.finalizeDeposit.selector to ensure the _l2ToL1message is at least 68 bytes long:

if (_l2ToL1message.length < 68) {

revert WrongMsgLength(68, _l2ToL1message.length);

}

This ensures that the function reads functionSignature, originChainId, and assetId safely without risking memory access errors.

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Inadequate length check for IAssetRouterBase.finalizeDeposit.Selector in function _parseL2WithdrawalMessage

Prize pool breakdown

Total prize

500,000 USDC

nSLOC

15,741

32 USDC / LOC

High Medium

475,000 USDC

Low

25,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.