Vulnerabity Details

The function Bootloader.yul::l1TxPreparation returns a value gasUsedOnPreparation which is used to calculate the gas used during the entire transaction that is later paid by the sender of the transaction at the end of the execution.

The gasUsedOnPreparation value is got from subtracting of the gasBeforePreparation and the final remaining gas after all the preparation opereations are done. But the issue is that this gas value gasBeforePreparation is captured after some operation which also consumes gas is excuted making the gas used in this operation not to be accounted for in the gasUsedOnPreparation value hence won't be paid for.

• https://github.com/Cyfrin/2024-10-zksync/blob/cfc1251de29379a9548eeff1eea3c78267288356/era-contracts/system-contracts/bootloader/bootloader.yul#L1099-L1103

As you can see before capturing gasBeforePreparation, the function first calls setPubdataInfo fuction which makes an external call to the system context contract of setting pubDataInfo. This consumes some gas though it may be small but this gas is not accounted for.

• https://github.com/Cyfrin/2024-10-zksync/blob/cfc1251de29379a9548eeff1eea3c78267288356/era-contracts/system-contracts/bootloader/bootloader.yul#L2838

All other functions that call setPubdataInfo like l2TxValidation account for all the gas used except for l1TxPreparation.

This gas maybe small but as more l1 transactions get executed, it will accumulate to a big value lost in operater fees.

Imapct

Less gas than one that should be paid is paid at the end of the transaction execution.

Recommendation

Consider capturing gasBeforePreparation before calling setPubdataInfo: