Assessment reportsPublic findings
Back to Zellic site
Assessment reports>ZetaChain>High findings>ZetaChain pays gas costs for EVM-to-zEVM transfers
GeneralOverview
Findings
Critical (1)
High (2)ZRC-20 paused status can be bypassedZetaChain pays gas costs for EVM-to-zEVM transfers
Medium (4)
DiscussionLenient slash behaviourGas stability pool
Threat ModelWhat are threat models?crosschainfungibleobserver
Audit ResultsSummary
Category: Coding Mistakes

ZetaChain pays gas costs for EVM-to-zEVM transfers

High Severity
Medium Impact
High Likelihood

Description

When an EVM-to-zEVM cross-chain transfer is initiated, the user initiating the transfer only pays gas fees for the EVM transaction. ZetaChain incurs the gas costs for any transaction initiated on the zEVM to finish the cross-chain transfer. This seems to be intended by ZetaChain.

However, when a user sends an ERC-20 token from the EVM to the zEVM, they are able to send the tokens to a smart contract on the zEVM. When this happens, the smart contract's onCrossChainCall() function is called by ZetaChain. In this scenario, ZetaChain sets the gas limit to ZEVMGasLimitDepositAndCall, which is one million. Again, it seems that this is intended by ZetaChain.

Impact

The issue here is that a malicious user can force ZetaChain to pay for very gas-intensive operations on the zEVM. The one-million gas limit applies per deposit, but a user is able to emit multiple Deposited events in a single transaction. If this is done on an EVM chain with very low gas fees like Polygon, the user might pay $1 in gas fees but then force ZetaChain to pay magnitudes more in gas fees on the zEVM.

Note that because of Finding ref, each event emitted will need to have a unique message, but that is easy to control. We note this in case the ZetaChain team would like to test this out.

We mark the impact as Medium because ZetaChain themselves control the total supply of the native ZETA token, so the costs they incur may not be as much of a concern.

Recommendations

Unfortunately, we do not think there is a good fix for this bug. Our recommendation is to either remove the ability for users to make cross-chain smart contract calls or revamp the code in order to let the user pay for the gas costs for the cross-chain smart contract call.

Remediation

The ZetaChain team responded that they plan to fix it with the following statement:

We acknowledged the finding as an issue. As a remediation, we are planning to limit the number of deposits that can be initiated from a single transaction on a source chain Each deposit can call a smart contract on zEVM with hard coded cap of gas limit 1M. External transaction that creates multiple deposit events will be rejected and refunded. There is currently no PR for the remediation.

Zellic © 2024Back to top ↑