Feature/spear bits audit5 #90
Conversation
invocamanman
force-pushed
the
feature/spearBitsAudit5
branch
from
b98f765
to
80cbd55
Compare
invocamanman
force-pushed
the
feature/spearBitsAudit5
branch
from
b59d2ff
to
1080719
Compare
invocamanman
force-pushed
the
feature/spearBitsAudit5
branch
from
98c5a0d
to
31a74f0
Compare
| newVerifyBatchTimeTarget < 1 days, | ||
| "PolygonZkEVM::setVerifyBatchTimeTarget: setVerifyBatchTimeTarget incorrect range" | ||
| ); | ||
| if (newVerifyBatchTimeTarget > 1 days) { |
There was a problem hiding this comment.
Is this a conscious choice to save a little bit of gas by not doing newVerifyBatchTimeTarget >= 1 days?
There was a problem hiding this comment.
difference here would be negligible as already discussed in https://github.com/spearbit-audits/review-polygon-zkevm-contracts/issues/22
|
lgtm! |
contracts/PolygonZkEVMBridge.sol
Outdated
| (bool success, bytes memory data) = address(token).staticcall( | ||
| abi.encodeCall(IERC20MetadataUpgradeable.decimals, ()) | ||
| ); | ||
| return success && data.length == 32 ? uint8(abi.decode(data, (uint256))) : 18; |
There was a problem hiding this comment.
Might make sense to use uint8 here and let it revert for tokens that use decimals greater than 255.
There was a problem hiding this comment.
yee i will change it again! i agree
contracts/lib/DepositContract.sol
Outdated
| depositCount < _MAX_DEPOSIT_COUNT, | ||
| "DepositContract:_deposit: Merkle tree full" | ||
| ); | ||
| if (depositCount > _MAX_DEPOSIT_COUNT) { |
There was a problem hiding this comment.
Regarding this as mentioned in https://github.com/spearbit-audits/review-polygon-zkevm-contracts/issues/22 , this would allow for _MAX_DEPOSIT_COUNT + 1 deposits which I think would overflow the merkle tree?
EDIT: This would not overflow the merkle tree but instead make use of the last empty leaf represented by 32 zero bits.
There was a problem hiding this comment.
The bit representation for _MAX_DEPOSIT_COUNT + 1 will be identical to the zero deposit when we look only at the right most 32 bits. But fortunately, we increment depositCount the first time this function is called, so we don't already use this leaf and hence, nothing should be overwritten as far as I can see.
There was a problem hiding this comment.
Yes, this was a little bit gas saving, the last deposit if i'm not mistaken will happen something like this:
depositCount = 2**32 --> the first 32 bits will be 0
uint256 size = ++depositCount;
for (
uint256 height = 0;
height < _DEPOSIT_CONTRACT_TREE_DEPTH;
height++
) {
if (((size >> height) & 1) == 1) {
_branch[height] = node;
return;
}
node = keccak256(abi.encodePacked(_branch[height], node));
}Here the condition if (((size >> height) & 1) == 1) will never be true, and therefore we will get into the assert(false)
Anyway this does not seem obvious so i will just put the equal in the revert condition
| error EtherTransferFailed(); | ||
|
|
||
| /** | ||
| * @dev Thrown when the message transactoin on claimMessage fail |
There was a problem hiding this comment.
| * @dev Thrown when the message transactoin on claimMessage fail | |
| * @dev Thrown when the message transaction on claimMessage fail |
| error GlobalExitRootInvalid(); | ||
|
|
||
| /** | ||
| * @dev Thrown when a the smt proof does not match |
There was a problem hiding this comment.
| * @dev Thrown when a the smt proof does not match | |
| * @dev Thrown when the smt proof does not match |
| error NotValidOwner(); | ||
|
|
||
| /** | ||
| * @dev Thrown when the spender of permit does not this contract |
There was a problem hiding this comment.
| * @dev Thrown when the spender of permit does not this contract | |
| * @dev Thrown when the spender of permit is not this contract |
| error OnlyTrustedAggregator(); | ||
|
|
||
| /** | ||
| * @dev Thrown when try to sequence 0 batches |
There was a problem hiding this comment.
| * @dev Thrown when try to sequence 0 batches | |
| * @dev Thrown when trying to sequence 0 batches |
| error SequenceZeroBatches(); | ||
|
|
||
| /** | ||
| * @dev Thrown when an try to sequence or verify more batches than _MAX_VERIFY_BATCHES |
There was a problem hiding this comment.
| * @dev Thrown when an try to sequence or verify more batches than _MAX_VERIFY_BATCHES | |
| * @dev Thrown when trying to sequence or verify more batches than _MAX_VERIFY_BATCHES |
| pragma solidity ^0.8.0; | ||
|
|
||
| /** | ||
| * @dev Implementation of the ERC20 with werid metadata. |
There was a problem hiding this comment.
| * @dev Implementation of the ERC20 with werid metadata. | |
| * @dev Implementation of the ERC20 with weird metadata. |
contracts/PolygonZkEVMBridge.sol
Outdated
| (bool success, bytes memory data) = address(token).staticcall( | ||
| abi.encodeCall(IERC20MetadataUpgradeable.symbol, ()) | ||
| ); | ||
| return success ? _returnDataToString(data) : "???"; |
contracts/PolygonZkEVMBridge.sol
Outdated
| (bool success, bytes memory data) = address(token).staticcall( | ||
| abi.encodeCall(IERC20MetadataUpgradeable.name, ()) | ||
| ); | ||
| return success ? _returnDataToString(data) : "???"; |
| } | ||
|
|
||
| // If the first one is 0, we do not handle the encoding | ||
| if (nonZeroBytes == 0) { |
There was a problem hiding this comment.
Finally i will handle it, in my opinoin if the first byte returned is 0 means that the token was trying encode somehow a name, i think it's better this way that just an empty string
contracts/PolygonZkEVMBridge.sol
Outdated
| } | ||
| return string(bytesArray); | ||
| } else { | ||
| return "???"; |
| error ForceBatchesOverflow(); | ||
|
|
||
| /** | ||
| * @dev Thrown when are sequenced more force batches than actually were submitted |
There was a problem hiding this comment.
| * @dev Thrown when are sequenced more force batches than actually were submitted | |
| * @dev Thrown when more force batches were sequenced than actually submitted |
| error TrustedAggregatorTimeoutNotExpired(); | ||
|
|
||
| /** | ||
| * @dev Thrown when try to access a pending that does not exist |
There was a problem hiding this comment.
| * @dev Thrown when try to access a pending that does not exist | |
| * @dev Thrown when trying to access a pending state that does not exist |
|
|
||
| /** | ||
| * @dev Thrown when try to sequence a force batch using sequenceForceBatches and the | ||
| * force timeout do not expired |
There was a problem hiding this comment.
| * force timeout do not expired | |
| * force timeout did not expire |
contracts/lib/DepositContract.sol
Outdated
| @@ -8,6 +8,11 @@ import "@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol"; | |||
| * Based on the implementation of the deposit eth2.0 contract https://github.com/ethereum/consensus-specs/blob/dev/solidity_deposit_contract/deposit_contract.sol | |||
| */ | |||
| contract DepositContract is Initializable { | |||
| /** | |||
| * @dev Thrown when the merle tree is full | |||
There was a problem hiding this comment.
| * @dev Thrown when the merle tree is full | |
| * @dev Thrown when the merkle tree is full |
| error MsgValueNotZero(); | ||
|
|
||
| /** | ||
| * @dev Thrown when the ether transfer on claimAsset fail |
There was a problem hiding this comment.
| * @dev Thrown when the ether transfer on claimAsset fail | |
| * @dev Thrown when the ether transfer on claimAsset fails |
contracts/PolygonZkEVMBridge.sol
Outdated
| (bool success, bytes memory data) = address(token).staticcall( | ||
| abi.encodeCall(IERC20MetadataUpgradeable.symbol, ()) | ||
| ); | ||
| return success ? _returnDataToString(data) : "???"; |
contracts/PolygonZkEVMBridge.sol
Outdated
| (bool success, bytes memory data) = address(token).staticcall( | ||
| abi.encodeCall(IERC20MetadataUpgradeable.name, ()) | ||
| ); | ||
| return success ? _returnDataToString(data) : "???"; |
invocamanman
force-pushed
the
feature/spearBitsAudit5
branch
from
d773635
to
f5bb381
Compare
This PR solves the following spearbits audit issues:
https://github.com/spearbit-audits/review-polygon-zkevm-contracts/issues/42
https://github.com/spearbit-audits/review-polygon-zkevm-contracts/issues/43
https://github.com/spearbit-audits/review-polygon-zkevm-contracts/issues/46
https://github.com/spearbit-audits/review-polygon-zkevm-contracts/issues/22
https://github.com/spearbit-audits/review-polygon-zkevm-contracts/issues/15
https://github.com/spearbit-audits/review-polygon-zkevm-contracts/issues/38
Also this PR have the following changes:
Erase not used imports in
PolygonZkEVMcontractUpdate a little bit the condition on
DepositContract:depositCount < _MAX_DEPOSIT_COUNTdepositCount > _MAX_DEPOSIT_COUNTNote that now
depositCountcan be==_MAX_DEPOSIT_COUNT, this should be safe and it's more consistent wit the use ofMAXin the whole contract.Update a little bit the logic of
PolygonZkEVMGlobalExitRoot::updateExitRootafter using custom errors to optimize gasThe change from < to > in setVerifyBatchTimeTarget / newVerifyBatchTimeTarget but the difference is neglectable PolygonZkEVM.sol#L1224