Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-10-ZKSYNC-FINDINGS-ISSUES-202
HistoryNov 07, 2022 - 12:00 a.m.

Cross-chain replay attacks are possible with create2()

2022-11-0700:00:00
Code4rena
github.com
7
vulnerability
create2 function
replay attacks
chain id
network
attacker
steal funds
code review
JSON

Lines of code

Vulnerability details

Impact

Mistakes made on one chain can be re-applied to a new chain

There is no chain.id in the create2() function data

If a user does create2() using the wrong network, an attacker can replay the action on the correct chain, and steal the funds a-la the wintermute gnosis safe attack, where the attacker can create the same address that the user tried to, and steal the funds from there

<https://mirror.xyz/0xbuidlerdao.eth/lOE5VN-BHI0olGOXe27F0auviIuoSlnou_9t3XRJseY&gt;

Proof of Concept

ethereum/contracts/common/L2ContractHelper.sol:
  18  
  19:     function create2(
  20:         bytes32 _salt,
  21:         bytes32 _bytecodeHash,
  22:         bytes calldata _input
  23:     ) external;
  24  }

zksync/contracts/L2ContractHelper.sol:
   9  interface IContractDeployer {
  10:     function create2(
  11:         bytes32 _salt,
  12:         bytes32 _bytecodeHash,
  13:         bytes calldata _input
  14:     ) external;
  15  }

Tools Used

Manual Code Review

Recommended Mitigation Steps

Include the chain.id in create2() function

The text was updated successfully, but these errors were encountered:

All reactions

JSON