Skip to content

Issues: code-423n4/2023-10-zksync-findings

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

107 Open 1,036 Closed
107 Open 1,036 Closed
Author
Filter by author
Loading
Label
Filter by label
Loading
Use alt + click/return to exclude labels
or + click/return for logical OR
Projects
Filter by project
Loading
Milestones
Filter by milestone
Loading
Assignee
Filter by who’s assigned
Sort
Sort by
Newest Oldest Most commented Least commented Recently updated Least recently updated Best match
Most reactions
👍 👎 😄 🎉 😕 ❤️ 🚀 👀

Issues list

Missing range constraint on remainder check in div opcode implementation 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working H-01 selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sufficient quality report This report is of sufficient quality
#1133 opened Nov 2, 2023 by thebrittfactor
5
QA Report bug Something isn't working grade-a Q-01 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
#1124 opened Oct 23, 2023 by c4-submissions
4
A user's funds could be unclaimable and stuck in the Bridge for an unknown amount of time, potentially forever bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue grade-a low quality report This report is of especially low quality QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
#1122 opened Oct 23, 2023 by c4-submissions
6
Analysis A-01 analysis-advanced grade-a high quality report This report is of especially high quality selected for report This submission will be included/highlighted in the audit report sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
#1117 opened Oct 23, 2023 by c4-submissions
5
TransactionValidator checks intrinsic costs against wrong value 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working M-01 primary issue Highest quality submission among a set of duplicates satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sufficient quality report This report is of sufficient quality
#1108 opened Oct 23, 2023 by c4-submissions
4
Unit difference between transaction encoding and bootloader memory constant 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working M-02 primary issue Highest quality submission among a set of duplicates satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sufficient quality report This report is of sufficient quality
#1105 opened Oct 23, 2023 by c4-submissions
6
L1Messageer.sol#sendL2ToL1Log does not charge enough gas fee for publishPubdataAndClearState bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue grade-a QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons sufficient quality report This report is of sufficient quality
#1082 opened Oct 23, 2023 by c4-submissions
5
Gas Optimizations bug Something isn't working G (Gas Optimization) G-01 grade-b sufficient quality report This report is of sufficient quality
#1058 opened Oct 23, 2023 by c4-submissions
5
Gas Optimizations bug Something isn't working edited-by-warden G (Gas Optimization) G-02 grade-a sufficient quality report This report is of sufficient quality
#1050 opened Oct 23, 2023 by c4-submissions
4
QA Report bug Something isn't working grade-b Q-03 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
#1044 opened Oct 23, 2023 by c4-submissions
2
Gas Optimizations bug Something isn't working G (Gas Optimization) G-03 grade-b sufficient quality report This report is of sufficient quality
#1037 opened Oct 23, 2023 by c4-submissions
4
Gas Optimizations bug Something isn't working G (Gas Optimization) G-04 grade-b sufficient quality report This report is of sufficient quality
#1034 opened Oct 23, 2023 by c4-submissions
3
PRIORITY_EXPIRATION is set to 0 which is unintended behaviour as this even causes transactions to always have their expiry as block.timestamp bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue grade-a primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons sufficient quality report This report is of sufficient quality
#1027 opened Oct 23, 2023 by c4-submissions
9
QA Report bug Something isn't working grade-a Q-02 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
#984 opened Oct 23, 2023 by c4-submissions
7
Loss of funds for the sender when L1->L2 TX fails in the bootloader on L2 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) M-03 primary issue Highest quality submission among a set of duplicates selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sufficient quality report This report is of sufficient quality
#979 opened Oct 23, 2023 by c4-submissions
16
Malicious operator can freeze users' bridged ERC20 tokens by appending transactions after the merkle tree is full bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue duplicate-853 grade-a low quality report This report is of especially low quality Q-05 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
#938 opened Oct 23, 2023 by c4-submissions
7
Gas Optimizations bug Something isn't working G (Gas Optimization) G-05 grade-a sufficient quality report This report is of sufficient quality
#924 opened Oct 23, 2023 by c4-submissions
4
QA Report bug Something isn't working grade-b Q-06 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
#914 opened Oct 23, 2023 by c4-submissions
5
QA Report bug Something isn't working grade-b Q-07 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
#896 opened Oct 23, 2023 by c4-submissions
5
Incorrect max precompile address 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working M-04 primary issue Highest quality submission among a set of duplicates satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sufficient quality report This report is of sufficient quality
#888 opened Oct 23, 2023 by c4-submissions
5
EIP-155 is not enforced, allowing attackers/malicious operators to profit from replaying transactions 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue M-05 primary issue Highest quality submission among a set of duplicates selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sufficient quality report This report is of sufficient quality
#882 opened Oct 23, 2023 by c4-submissions
13
Analysis A-02 analysis-advanced grade-b sufficient quality report This report is of sufficient quality
#881 opened Oct 23, 2023 by c4-submissions
2
Risk of Refund Loss During Upgrade Transactions bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue grade-a ineligible for award QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons sufficient quality report This report is of sufficient quality
#880 opened Oct 23, 2023 by c4-submissions
5
Nonce ordering of EOA can be updated to "arbitary" through an L1 tx 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) M-06 primary issue Highest quality submission among a set of duplicates satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sufficient quality report This report is of sufficient quality
#861 opened Oct 23, 2023 by c4-submissions
13
QA Report bug Something isn't working edited-by-warden grade-b Q-04 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
#819 opened Oct 23, 2023 by c4-submissions
2
ProTip! Type g i on any issue or pull request to go back to the issue listing page.