shogoki - Protocol is not usable & possible lock of funds on zksync because of wrong address computation

[sherlock-admin]

shogoki

medium

Protocol is not usable & possible lock of funds on zksync because of wrong address computation

Summary

The Wagmi Leverage Protocol is supposed to be deployed on many chains, including the zksync Era chain.
On multiple occurences the address of the UniswapV3 pool to use is computed by using the deterministic way the create2 opcode for EVM works, which is different for zkSync ERA.

This results in the protocol not being correctly usable and the possibility for funds to be locked.

Vulnerability Detail

The contracts interact with UniswapV3 pools several times. The address of the pool is always computed by the contract using the UNDERLYING_V3_POOL_INIT_CODE_HASH the UNDERLYING_V3_FACTORY_ADDRESS and the salt which is the hash of the tokens and the fee.

This works, as the UniswapV3 pools are created by the Factory using the create2 opcode, which gives us an deterministic address based on these parameters. (see here

However, the address derivation works different on the zkSync Era chain, as they are stating in their docs.

export function create2Address(sender: Address, bytecodeHash: BytesLike, salt: BytesLike, input: BytesLike) {
  const prefix = ethers.utils.keccak256(ethers.utils.toUtf8Bytes("zksyncCreate2"));
  const inputHash = ethers.utils.keccak256(input);
  const addressBytes = ethers.utils.keccak256(ethers.utils.concat([prefix, ethers.utils.zeroPad(sender, 32), salt, bytecodeHash, inputHash])).slice(26);
  return ethers.utils.getAddress(addressBytes);
}

This will result in the computed address inside the contract to be wrong, which make any calls to these going to be reverted, or giving unexpected results.

As there is a possibility for the borrow function to go work fine, as the computed address will not be used, there is a potential for getting funds into the Vault. However, these would be locked forever, as every possible code path of the repay function is relying on the computed address of the UniswapV3 pool.

Impact

• Protocol is not usable on zkSync Era network
• Funds could be locked.

Code Snippet

https://github.com/sherlock-audit/2023-10-real-wagmi/blob/main/wagmi-leverage/contracts/abstract/ApproveSwapAndPay.sol#L211-L213C16

https://github.com/sherlock-audit/2023-10-real-wagmi/blob/main/wagmi-leverage/contracts/abstract/ApproveSwapAndPay.sol#L271C4-L291C6

Tool used

Manual Review

Recommendation

As zkEVM differs in some points from the EVM, i would consider writing a slightly adjusted version of the contract for zkEVM, in regards to the differences mentioned in their docs

Duplicate of #104