Assessment reportsPublic findings
Back to Zellic site
Assessment reports>ZetaChain>Threat Model>Message: WhitelistERC20
GeneralOverview
Findings
Critical (1)
High (2)
Medium (4)
DiscussionLenient slash behaviourGas stability pool
Threat ModelWhat are threat models?crosschain
fungibleMessage: UpdateZRC20PausedStatusMessage: UpdateZRC20WithdrawFeeMessage: UpdateContractBytecodeMessage: WhitelistERC20
observer
Audit ResultsSummary

Message: WhitelistERC20

The WhitelistERC20 message handler is used to whitelist ERC-20 tokens such that they can be deposited and withdrawn. Only policy type 1 admins are able to call this message.

This message adds an ERC-20 address to the whitelisted coins in the zEVM and EVM contracts and then deploys a respective ZRC-20 and sends out a CoinType_Cmd, which is an admin message accepted by all observers and agreed upon to sign a TSS message. This is required as the whitelist function is onlyTSS.

We discovered an issue with this function — specifically how it interacts with DeployFungibleZRC20. Even if an a deployed ZRC-20 address is provided, it is not whitelisted. Instead, a new ZRC-20 contract is deployed and whitelisted.

Zellic © 2024Back to top ↑