Era
ZKsync
FoundryLayer 2
500,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Unlimited Token Address Overwrites by Admin

mustaphaabdulaziz00

Summary

https://github.com/Cyfrin/2024-10-zksync/blob/cfc1251de29379a9548eeff1eea3c78267288356/era-contracts/l1-contracts/contracts/bridge/L2WrappedBaseTokenStore.sol#L68

https://github.com/Cyfrin/2024-10-zksync/blob/cfc1251de29379a9548eeff1eea3c78267288356/era-contracts/l1-contracts/contracts/bridge/L2WrappedBaseTokenStore.sol#L80

In the L2WrappedBaseTokenStore contract, the admin can overwrite the l2WBaseTokenAddress mapping for any chainId an unlimited number of times. This lack of restrictions on address overwrites allows the admin to change L2 token addresses at will, potentially causing security and operational issues if abused.

Vulnerability Details

The initializeChain and reinitializeChain functions allow the admin to set a new L2 wrapped token address in the l2WBaseTokenAddress mapping without restriction.

Cause: Lack of safeguards, such as overwrite limitations or multi-signature requirements, permits repeated and arbitrary changes.

Exploitation: An admin could change token addresses to malicious contracts or redirect funds to unauthorized addresses. Since no restrictions or tracking mechanisms are in place, these changes would be difficult to detect without constant monitoring.

Impact

The unlimited overwrite ability creates several risks:

Potential for Malicious Token Address Overwrites: A malicious or compromised admin could redirect token addresses to arbitrary or malicious addresses, causing users to unknowingly interact with untrusted contracts.

Loss of Trust and Reliability: If addresses can be changed arbitrarily, users and applications may lose confidence in the accuracy and reliability of the stored token addresses.

Increased Attack Surface: The unrestricted overwrite ability creates an entry point for potential exploits or accidental errors by an admin, leading to unintended consequences.

Tools Used

Exploit sample

Here’s a simplified example illustrating the unlimited overwrites in the contract:

contract L2WrappedBaseTokenStore is Ownable2Step {
mapping(uint256 chainId => address l2WBaseTokenAddress) public l2WBaseTokenAddress;
address public admin;
function initializeChain(uint256 _chainId, address _l2WBaseToken) external onlyOwnerOrAdmin {
l2WBaseTokenAddress[_chainId] = _l2WBaseToken; // Admin can overwrite without restriction
}
function reinitializeChain(uint256 _chainId, address _l2WBaseToken) external onlyOwner {
l2WBaseTokenAddress[_chainId] = _l2WBaseToken;
}
}

In this scenario, the admin can call initializeChain repeatedly, changing l2WBaseTokenAddress for any chainId without restriction. This can lead to unauthorized or malicious changes to token addresses.

Recommendations

Introduce Overwrite Limitations for Admin

Description: Limit the number of times the admin can modify the l2WBaseTokenAddress mapping for each chainId.

Implementation: Use a mapping to track the number of times each chainId address has been set, and enforce a maximum limit (e.g., one modification by admin). Only allow further modifications by the owner.

Benefit: Reduces the risk of arbitrary overwrites, ensuring changes are intentional and limited.

mapping(uint256 => uint256) public overwriteCount;
function initializeChain(uint256 _chainId, address _l2WBaseToken) external onlyOwnerOrAdmin {
require(overwriteCount[_chainId] < 1, "Admin overwrite limit reached");
l2WBaseTokenAddress[_chainId] = _l2WBaseToken;
overwriteCount[_chainId]++;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Lack of Validation on chainId in Mapping inside L2WrappedBaseTokenStore

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.