Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-10-ZKSYNC-FINDINGS-ISSUES-312
HistoryNov 09, 2022 - 12:00 a.m.

uint16 type for the facet position and selector position

2022-11-0900:00:00
Code4rena
github.com
5
diamond library
uint16
facet position
selector position
vulnerability
mitigation
JSON

Lines of code
<https://github.com/code-423n4/2022-10-zksync/blob/main/ethereum/contracts/zksync/libraries/Diamond.sol#L33&gt;
<https://github.com/code-423n4/2022-10-zksync/blob/main/ethereum/contracts/zksync/libraries/Diamond.sol#L190&gt;
<https://github.com/code-423n4/2022-10-zksync/blob/main/ethereum/contracts/zksync/libraries/Diamond.sol#L207&gt;

Vulnerability details

Description

In the Diamond library there is uint16 type used for the facet position and selector position in the FacetToSelectors and SelectorToFacet structs. That creates a restriction that the number of facets is limited by 2^16.

In case when the number of facets is greater or equal to 2^16 there will be different facets with an equal value of facetPosition parameter (there will be unchecked overflow in ds.facetToSelectors[_facet].facetPosition = uint16(ds.facets.length);). The same applies to the selectorPosition parameter.

Recommended Mitigation Steps

For the facet position and selector position use a type with a bigger number of possible values, for example uint32 or even uint256.

The text was updated successfully, but these errors were encountered:

All reactions

JSON