Era

ZKsync

FoundryLayer 2

500,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

logic to calcute gas for sha256 is different for precompile and L1Messenger

volodya

Summary

Discrepency between logic for calculating sha gas cost lead to either to overchargin or underchaning users.

Vulnerability Details

Lets compare how two funcitons calculate number of rounds

// Copy calldata to memory for pad it

let bytesSize := calldatasize()

calldatacopy(0, 0, bytesSize)

// The sha256 padding includes additional 8 bytes of the total message's length in bits,

// so calculate the "full" message length with it.

let extendBytesLen := add(bytesSize, 8)

let padLen := sub(BLOCK_SIZE(), mod(extendBytesLen, BLOCK_SIZE())) // @ additional variable compare to l1messager

let paddedBytesSize := add(extendBytesLen, padLen)

let numRounds := div(paddedBytesSize, BLOCK_SIZE())

let precompileParams := unsafePackPrecompileParams(

0, // input offset in words

// Always divisible by 32, since `BLOCK_SIZE()` is 64 bytes

div(paddedBytesSize, 32), // input length in words (safe to pass, never exceed `type(uint32).max`)

0, // output offset in words

1, // output length in words

numRounds // number of rounds (safe to pass, never exceed `type(uint64).max`)

)

let gasToPay := mul(SHA256_ROUND_GAS_COST(), numRounds)

precompiles/SHA256.yul#L70

function sha256GasCost(uint256 _length) internal pure returns (uint256) {

return SHA256_ROUND_GAS_COST * ((_length + 8) / SHA256_ROUND_NUMBER_OF_BYTES + 1);

}

/L1Messenger.sol#L65

As we can see padLen := sub(BLOCK_SIZE(), mod(extendBytesLen, BLOCK_SIZE())) is not in a formula inside l1messagner.

Impact

Incorrect gas cost would be charged in l1messager

Tools Used

Recommendations

Align cost in l1messager with precompile formula

Updates

Lead Judging Commences

inallhonesty Lead Judge 5 months ago

Submission Judgement Published

Validated

Assigned finding tags:

logic to calcute gas for sha256 is different for precompile and L1Messenger

Appeal created

inallhonesty Lead Judge

5 months ago

inallhonesty Lead Judge 5 months ago

Submission Judgement Published

Validated

Assigned finding tags:

logic to calcute gas for sha256 is different for precompile and L1Messenger

Prize pool breakdown

Total prize

500,000 USDC

nSLOC

15,741

32 USDC / LOC

High Medium

475,000 USDC

Low

25,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.