Assessment reportsPublic findings
Back to Zellic site
Assessment reports>ZetaChain>Threat Models>Function: PostTxProcessing()
GeneralOverview
Findings
Critical (7)
High (4)
Medium (1)
Informational (1)
DiscussionMissing validation
Threat ModelsWhat are threat models?btc_client
crosschainMessage: AddToOutTxTrackerFunction: PostTxProcessing()Message: RemoveFromOutTxTrackerMessage: CreateTSSVoterMessage: SetNodeKeysMessage: UpdatePermissionFlagsMessage: MsgGasPriceVoterMessage: MsgNonceVoterMessage: MsgVoteOnObservedOutboundTxMessage: MsgVoteOnObservedInboundTx
evm_clientfungible
Audit ResultsSummary

Function: PostTxProcessing()

The PostTxProcessing() hook is used to process all ZetaSent and Withdrawal events that are emitted by contracts on the zEVM.

The processing of the ZetaSent event is done in the ProcessZetaSentEvent() function. It is identical to that of the ZetaSent event emitted by the connector contract on EVM-compatible chains, with one key difference — the code here fails to ensure that only ZetaSent events emitted by the zEVM connector contract are processed. This allows an attacker to deploy a contract that emits ZetaSent events with the same signature, which allows them to transfer ZETA tokens across chains without ever owning any ZETA. This essentially lets them mint free tokens out of nothing, which is a critical issue.

The processing of the Withdrawal event is done in the ProcessZRC20WithdrawalEvent() function. It is also very similar to the processing of the ZetaSent event above, except that it does check that the event is emitted by a whitelisted ZRC20 contract on the zEVM. It creates and broadcasts a MsgVoteOnObservedInboundTx message with the value field set to the event's value field, and the recipient set to the event's to field.

The format of the Withdrawal event is shown below:

event Withdrawal(address indexed from, bytes to, uint256 value, uint256 gasfee, uint256 protocolFlatFee)
Zellic © 2024Back to top ↑