Assessment reportsPublic findings
Back to Zellic site
Assessment reports>ZetaChain>Threat Model>Message: UpdateZRC20PausedStatus
GeneralOverview
Findings
Critical (1)
High (2)
Medium (4)
DiscussionLenient slash behaviourGas stability pool
Threat ModelWhat are threat models?crosschain
fungibleMessage: UpdateZRC20PausedStatusMessage: UpdateZRC20WithdrawFeeMessage: UpdateContractBytecodeMessage: WhitelistERC20
observer
Audit ResultsSummary

Message: UpdateZRC20PausedStatus

The UpdateZRC20PausedStatus message handler is used to pause and unpause ZRC-20 token contracts in the zEVM. Policy type 1 admin accounts are able to pause tokens, but unpausing requires a policy type 2 admin account (i.e., a multi-sig).

The code first ensures that the account executing the message has the required permissions. It then iterates through all foreign coins and modifies the pause status of the coin.

The pause status itself is checked in the Fungible module's PostTxProcessing() hook.

We found an issue that allows the pause status to be bypassed (i.e., an attacker is able to interact freely with a paused ZRC-20 token contract). The finding is detailed here: Finding ref.

Zellic © 2024Back to top ↑