Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Important require check inside L1Messenger is always true #853

Closed
c4-submissions opened this issue Oct 23, 2023 · 10 comments
Closed

Important require check inside L1Messenger is always true #853

c4-submissions opened this issue Oct 23, 2023 · 10 comments
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue grade-c low quality report This report is of especially low quality primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-10-zksync/blob/ef99273a8fdb19f5912ca38ba46d6bd02071363d/code/system-contracts/contracts/L1Messenger.sol#L205-L206

Vulnerability details

Impact

There is no check of the size of logs, due to an error in the code.
An important require is always true.

The aim of L1Messenger.sol is to send messages to L1. In particular, it sends to L1 the Merkle tree root through its function publishPubdataAndClearState() function.

In order to do that, publishPubdataAndClearState() analyzes the whole pubdata from L1 Batch.
There is an attempt to mitigate DoS at the beginning of this function, that checks the number of L2->L1 logs, in order to block inputs with too many logs.
Each log has to be stored in memory, so it is important to prevent log bomb.

Furthermore, trees into L1 contracts and the server can not be too large.

We also report what is stated in System contracts bootloader description - L1Messenger Pubdata

[40053..248052] – slots where the final batch pubdata is supplied to be verified by the L1Messenger. More on how the L1Messenger system contracts handles the pubdata can be read here.

But briefly, this space is used for the calldata to the L1Messenger’s publishPubdataAndClearState function, which
accepts the list of the user L2→L1 logs, published L2→L1 messages as well as bytecodes. It also takes the list of
full state diff entries, which describe how each storage slot has changed as well as compressed state diffs. This
method will then check the correctness of the provided data and publish the hash of the correct pubdata to L1.

Proof of Concept

Contract: L1Messenger.sol

Code lines: 204-206

uint32 numberOfL2ToL1Logs = uint32(bytes4(_totalL2ToL1PubdataAndStateDiffs[calldataPtr:calldataPtr + 4]));
require(numberOfL2ToL1Logs <= numberOfL2ToL1Logs, "Too many L2->L1 logs");

It is obvious that numberOfL2ToL1Logs <= numberOfL2ToL1Logs is always true: it is a comparison between the same valued.

So there is no check of Too many L2->L1 logs.

So it is possible to call publishPubdataAndClearState() using parameter _totalL2ToL1PubdataAndStateDiffs with any number of L2->L1 logs inside.
This behavior can be exploited to perform a DoS attack on the server, because everyone could ask to server to store in memory a huge amount of logs.

Tools Used

Visual inspection.

Recommended Mitigation Steps

It is clearly a code mistake. It should be a constant inside require, in order to assert that the number of logs is capped.

require(numberOfL2ToL1Logs <= MAX_NUMBER_OF_L2_TO_L1_LOGS, "Too many L2->L1 logs");

Assessed type

DoS
@c4-submissions c4-submissions added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Oct 23, 2023
jacobheun pushed a commit that referenced this issue Oct 24, 2023
@c4-submissions
niser93 issue #853
c204a23
@c4-pre-sort
Copy link

bytes032 marked the issue as low quality report

@c4-pre-sort c4-pre-sort added the low quality report This report is of especially low quality label Oct 31, 2023
@c4-pre-sort
Copy link

141345 marked the issue as primary issue

@c4-pre-sort c4-pre-sort added the primary issue Highest quality submission among a set of duplicates label Nov 2, 2023
This was referenced Nov 2, 2023
Closed
Closed
Closed
Closed
Open
Closed
Closed
Closed
Open
This was referenced Nov 3, 2023
Open
Closed
Closed
Closed
Open
Closed
Open
Closed
Closed
Closed
Open
Open
@miladpiri
Copy link

miladpiri commented Nov 8, 2023
edited
Loading

QA.
Duplicate: #312

@c4-sponsor
Copy link

miladpiri marked the issue as disagree with severity

@c4-sponsor c4-sponsor added the disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) label Nov 8, 2023
@c4-sponsor
Copy link

miladpiri (sponsor) confirmed

@c4-sponsor c4-sponsor added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Nov 8, 2023
@miladpiri miladpiri mentioned this issue Nov 9, 2023
Open
@c4-judge c4-judge mentioned this issue Nov 25, 2023
Closed
@c4-judge c4-judge added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value downgraded by judge Judge downgraded the risk level of this issue and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Nov 25, 2023
@c4-judge
Copy link
Contributor

GalloDaSballo changed the severity to 2 (Med Risk)

@GalloDaSballo
Copy link

I think that the finding highlights a mistake (a vacous check)

I think that due to other checks, there's no scenario for exploit, but will double check

@GalloDaSballo
Copy link

GalloDaSballo commented Nov 25, 2023
edited
Loading

#938 is a better example of how this could be used, however, I believe that checksum / keccak of said altered hash would have a different root meaning that it wouldn't pass the check

@c4-judge c4-judge added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Nov 25, 2023
@c4-judge
Copy link
Contributor

GalloDaSballo changed the severity to QA (Quality Assurance)

@itsmetechjay
Copy link

Per the judge's request, marking as grade-C and closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue grade-c low quality report This report is of especially low quality primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@GalloDaSballo @miladpiri @itsmetechjay @c4-judge @c4-sponsor @c4-pre-sort @c4-submissions