Assessment reportsPublic findings
Back to Zellic site
Assessment reports>ZetaChain>Threat Model>Message: UpdateZRC20WithdrawFee
GeneralOverview
Findings
Critical (1)
High (2)
Medium (4)
DiscussionLenient slash behaviourGas stability pool
Threat ModelWhat are threat models?crosschain
fungibleMessage: UpdateZRC20PausedStatusMessage: UpdateZRC20WithdrawFeeMessage: UpdateContractBytecodeMessage: WhitelistERC20
observer
Audit ResultsSummary

Message: UpdateZRC20WithdrawFee

The UpdateZRC20WithdrawFee message handler is used to update the withdrawal fees and gas limits when withdrawing ZRC-20 coins. Only policy type 2 admin accounts are able to call this handler (i.e., a multi-sig).

The code ensures that the ZRC-20 exists and that a foreign coin is found for said ZRC-20 address (mapping must exist). Then the relevant functions are called to call the zEVM methods to update the respective properties.

The only thing to note is that there are no gas limits for the calls to the zEVM methods. This is not a security issue as ZRC-20 tokens can only be whitelisted/deployed by the admin team; therefore, they cannot endlessly consume gas. However, this is a future consideration in case features are added for users to add their own custom ZRC-20s.

Zellic © 2024Back to top ↑