Era

ZKsync

FoundryLayer 2

500,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Emergency `revertBatchesSharedBridge` call by `ChainTypeManager` admin fails due to incorrect modifier

bladesec

Summary

The ChainTypeManager admin is unable to call revertBatchesSharedBridge in the Executor facet because the function is restricted by the onlyValidator modifier instead of onlyChainTypeManager.

Vulnerability Details

According to ChainTypeManagerdoc#Emergency upgrade section in zksync doc:

In case we are aware that some of the committed batches on an ST are dangerous to be executed, the CTM can call revertBatches on that ST. For faster reaction, the admin of the ChainTypeManager has the ability to do so without waiting for govenrnace approval that may take a lot of time. This action does not lead to funds being lost, so it is considered suitable for the partially trusted role of the admin of the ChainTypeManager.

Executor facet has revertBatchesSharedBridge function which revert batches:

>> function revertBatchesSharedBridge(uint256, uint256 _newLastBatch) external nonReentrant onlyValidator {

_revertBatches(_newLastBatch);

}

However, the function is restricted by the onlyValidator modifier, requiring the caller to be a validator to execute it. This contradicts the intended behavior as outlined in the documentation.

Impact

The ChainTypeManager is unable to call revertBatchesSharedBridge in emergency situations as specified in the documentation.

Tools Used

Manual Review

Recommendations

Use onlyValidatorOrChainTypeManager modifier instead of onlyValidator:

- function revertBatchesSharedBridge(uint256, uint256 _newLastBatch) external nonReentrant onlyValidator {

+ function revertBatchesSharedBridge(uint256, uint256 _newLastBatch) external nonReentrant onlyValidatorOrChainTypeManager{

_revertBatches(_newLastBatch);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Emergency `revertBatchesSharedBridge` call by `ChainTypeManager` admin fails due to incorrect modifier

Appeal created

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

CTM Admin can't revert malicious batches due to restricted permission

Prize pool breakdown

Total prize

500,000 USDC

nSLOC

15,741

32 USDC / LOC

High Medium

475,000 USDC

Low

25,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.