Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-03-ZKSYNC-FINDINGS-ISSUES-188
HistoryMar 19, 2023 - 12:00 a.m.

Malicious or hacked admin can steal all ETH

2023-03-1900:00:00
Code4rena
github.com
4
l2ethtoken
transferfromto
malicious admin
eth
timelock mechanism
JSON

Lines of code

Vulnerability details

Impact

In L2EthToken.sol we have transferFromTo() It is possible malicious or hacked admin to steal the ETH.

Proof of Concept

As can be seen from the code snippet below, nothing can stop malicious or hacked admin to steal all ETH. He can use address _from and send the ETH to address _to.
I see from the NatSpec that function can be called only by trusted system contracts, but for greater safety it is good to add timelock mechanism.

function transferFromTo(address _from, address _to, uint256 _amount) external override {
        require(
            msg.sender == MSG_VALUE_SYSTEM_CONTRACT ||
                msg.sender == address(DEPLOYER_SYSTEM_CONTRACT) ||
                msg.sender == BOOTLOADER_FORMAL_ADDRESS,
            "Only system contracts with special access can call this method"
        );

        uint256 fromBalance = balance[_from];
        require(fromBalance >= _amount, "Transfer amount exceeds balance");
        unchecked {
            balance[_from] = fromBalance - _amount;
            // Overflow not possible: the sum of all balances is capped by totalSupply, and the sum is preserved by
            // decrementing then incrementing.
            balance[_to] += _amount;
        }

        emit Transfer(_from, _to, _amount);
    }

Tools Used

Manual Review

Recommended Mitigation Steps

For more certain it is good to add timelock mechanism.

The text was updated successfully, but these errors were encountered:

All reactions

JSON