In exec_create, if unable to transfer value, evm should be returned, not child_evm

[howlbot-integration]

Lines of code

https://github.com/kkrt-labs/kakarot/blob/7411a5520e8a00be6f5243a50c160e66ad285563/src/kakarot/instructions/system_operations.cairo#L195-L198

Vulnerability details

Impact

By returning child_evm, Kakarot will continue with the contract cration even though transferring the attached value was unsuccessful

Proof of Concept

Looking at the exec_create function:

    func exec_create{
        ...
    }(evm: model.EVM*) -> model.EVM* {
        ...
        let transfer = model.Transfer(evm.message.address, target_account.address, [value]);
        let success = State.add_transfer(transfer);
        if (success == 0) {
            Stack.push_uint128(0);
            return child_evm;
        }

        return child_evm;
    }

If there is an error in transferring the value, 0 gets pushed to the stack, but the Kakarot VM continues execution in the child_context.
The correct behaviour should be that if there is an error in transferring value to the target address, Kakarot should continue execution in the current call context(not child context).
This way, the contract making the create call will know that there was an error, and handle it appropriately.

Recommended Mitigation Steps

return evm, not child_evm in the highighted code.

Assessed type

Other

[ClementWalter]

Severity: Invalid, To fix

Comment: This is dead code (see original verification at https://github.com/kkrt-labs/kakarot/blob/7411a5520e8a00be6f5243a50c160e66ad285563/src/kakarot/instructions/system_operations.cairo#L123-L130).

[c4-judge]

dmvt changed the severity to QA (Quality Assurance)

[c4-judge]

dmvt marked the issue as grade-b