Era
ZKsync
FoundryLayer 2
500,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

CTM Admin can't revert malicious batches due to restricted permission

holydevoti0n

Summary

The chain type manager documentation states that the ChainTypeManager (CTM) admin has emergency powers to revert batches without waiting for governance approval. However, in the actual implementation on Executor.sol, revertBatchesSharedBridge only checks for validator permissions(using the onlyValidator modifier), preventing the CTM admin from performing emergency batch reversions.

https://github.com/matter-labs/era-contracts/blob/9d0ffa4e846519e010329c58fb86e6f99d5e84ca/l1-contracts/contracts/state-transition/chain-deps/facets/Executor.sol#L564

// @audit only the validator can revert batches.
@> function revertBatchesSharedBridge(uint256, uint256 _newLastBatch) external nonReentrant onlyValidator {
_revertBatches(_newLastBatch);
}
@> modifier onlyValidator() {
if (!s.validators[msg.sender]) {
revert Unauthorized(msg.sender);
}
_;
}

Vulnerability Details

When the CTM admin attempts to revert batches through ChainTypeManager.revertBatches():

https://github.com/matter-labs/era-contracts/blob/9d0ffa4e846519e010329c58fb86e6f99d5e84ca/l1-contracts/contracts/state-transition/ChainTypeManager.sol#L282

function revertBatches(uint256 _chainId, uint256 _newLastBatch) external onlyOwnerOrAdmin {
IZKChain(getZKChain(_chainId)).revertBatchesSharedBridge(_chainId, _newLastBatch);
}

The call fails because as shown above the revertBatchesSharedBridge function on Executor.solis protected by the onlyValidatormodifier.

Thus, completely breaking the invariant defined in the CTM's documentation:

"In case we are aware that some of the committed batches on an ST are dangerous to be executed, the CTM can call revertBatches on that ST. For faster reaction, the admin of the ChainTypeManager has the ability to do so without waiting for governance approval that may take a lot of time."

Also, notice that the devs created the modifier to allow the CTM to also call revertBatchesbut unfortunately, it is not in use.

modifier onlyValidatorOrChainTypeManager() {
if (!s.validators[msg.sender] && msg.sender != s.chainTypeManager) {
revert Unauthorized(msg.sender);
}
_;
}

Impact

  • The CTM admin cannot perform emergency reversions if malicious batches are committed.

Tools Used

Manual Review

Recommendations

Replace the onlyValidator modifier with onlyValidatorOrChainTypeManager on Executor.sol:

- function revertBatchesSharedBridge(uint256, uint256 _newLastBatch) external nonReentrant onlyValidator {
+ function revertBatchesSharedBridge(uint256, uint256 _newLastBatch) external nonReentrant onlyValidatorOrChainTypeManager {
_revertBatches(_newLastBatch);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

CTM Admin can't revert malicious batches due to restricted permission

Appeal created

holydevoti0n Submitter
6 months ago
holydevoti0n Submitter
6 months ago
inallhonesty Lead Judge
6 months ago
inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

CTM Admin can't revert malicious batches due to restricted permission

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.