Mathematical inaccuracy can lead to wrong prices #8
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
edited-by-warden
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Comments
c4-bot-7
added
3 (High Risk)
c4-bot-1
changed the title
|
saxenism (sponsor) disputed |
c4-sponsor
added
the
sponsor disputed
|
The parenthesis is not required as it does not lead to any wrong calculations in any case. |
|
The Warden describes an addition and division that utilizes an implicit order of operations that could have been incorrect. As the Sponsor outlines and the code confirms, the desired order of operations is that the division occurs before the addition which is the present behaviour rendering this exhibit invalid. |
c4-judge
added
the
unsatisfactory
|
alex-ppg marked the issue as unsatisfactory: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2024-03-zksync/blob/main/code/contracts/ethereum/contracts/state-transition/chain-deps/facets/Mailbox.sol#L167
https://github.com/code-423n4/2024-03-zksync/blob/main/code/contracts/ethereum/contracts/state-transition/chain-deps/facets/Mailbox.sol#L171
Vulnerability details
Impact
The mathematical inaccuracy in the calculation involving uint256 fullPubdataPriceBaseToken and l2GasPrice can result in precision loss
Proof of Concept
In the principle of PEDMAS/BODMAS, division comes before addition. But in the case of uint256 fullPubdataPriceBaseToken, the case is reversed. This can cause the return of wrong results. For instance, let pubdataPriceBaseToken be 10 wei, batchOverheadBaseToken be 20 wei and uint256(feeParams.maxPubdataPerBatch) be 5 wei.
Without the PEDMAS, fullPubdataPriceBaseToken will give 6 wei but result in 14 wei with PEDMAS application
Tools Used
Manual Review
Recommended Mitigation Steps
Division should come first before addition in calculations or the parameters involved in the division should be encapsulated properly:
uint256 fullPubdataPriceBaseToken = pubdataPriceBaseToken +
(batchOverheadBaseToken / uint256(feeParams.maxPubdataPerBatch));
Or:
uint256 fullPubdataPriceBaseToken = (pubdataPriceBaseToken +
batchOverheadBaseToken) / uint256(feeParams.maxPubdataPerBatch
whichever calculation is intended. Same should also apply to the l2gasprice calculation
Assessed type
Error
The text was updated successfully, but these errors were encountered: