Era

ZKsync

FoundryLayer 2

500,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Migration of Brigdes can be prevented in `Bridgehub::bridgeMint` yet the protocol intendes to allow all Migrations

0xlookman

Summary

The protocol intends to allow all bridges to be migrated and this is seen in the implemention of Bridgehb::_registerNewZKChain function with its bool of _checkMaxNumberOfZKChains, but the check in MessageRoot::_addNewChain can prevent this from happening during Bridgehub::bridgeMint.

Vulnerabilty Details

From the specs on Bridgehb::_registerNewZKChain:

Providing `_checkMaxNumberOfZKChains = false` may be preferable in cases

/// where we want to guarantee that a chain can be added. These include:

/// - Migration of a chain from the mapping in the old CTM

/// - Migration of a chain to a new settlement layer

https://github.com/Cyfrin/2024-10-zksync/blob/cfc1251de29379a9548eeff1eea3c78267288356/era-contracts/l1-contracts/contracts/bridgehub/Bridgehub.sol#L383-L386

This indicates that cases like brigde migration shouldn't be stopped by bridges having reached the MAX_NUMBER_OF_ZK_CHAINS, as bridge migarations should be gauranteed.

During bridge migration in Bridgehub::bridgeMint, when the chain being migrated is not yet deployed, the contract deploys the new chain and calls Bridgehb::_registerNewZKChain with _checkMaxNumberOfZKChains = false:

// We want to allow any chain to be migrated,

_registerNewZKChain(bridgehubData.chainId, zkChain, false);

messageRoot.addNewChain(bridgehubData.chainId);

https://github.com/Cyfrin/2024-10-zksync/blob/cfc1251de29379a9548eeff1eea3c78267288356/era-contracts/l1-contracts/contracts/bridgehub/Bridgehub.sol#L775-L777

As you can see the spec, it wants to ensure that any chain is migrated.

The call to messageRoot will cause issues and can prevent this ensuarance from happen as messageRoot::addNewChain will call _addNewChain internal function.

The _addNewChain has a check:

uint256 cachedChainCount = chainCount;

if (cachedChainCount >= MAX_NUMBER_OF_ZK_CHAINS) {

revert TooManyChains(cachedChainCount, MAX_NUMBER_OF_ZK_CHAINS);

}

https://github.com/Cyfrin/2024-10-zksync/blob/cfc1251de29379a9548eeff1eea3c78267288356/era-contracts/l1-contracts/contracts/bridgehub/MessageRoot.sol#L153-L156

For cases where the MAX_NUMBER_OF_ZK_CHAINS has been reached, this check will revert the entire migration transaction hence preventing the ensurance that all migrations should be gauranted.

Imapct

Denial of chain migration which should be gauranteed all the time.

Recommention

Consider implementing MessageRoot::_addNewChain the way Bridgehb::_registerNewZKChain with a bool to prevent the check.

Updates

Lead Judging Commences

inallhonesty Lead Judge 5 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Migration blocked due to chain limit in `MessageRoot` contract

Prize pool breakdown

Total prize

500,000 USDC

nSLOC

15,741

32 USDC / LOC

High Medium

475,000 USDC

Low

25,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.