We audited the changes made to the short-term fee model in:
In scope were the following contracts:
Repository era-contracts:
ethereum
└── contracts
└── zksync
├── facets
│ ├── Admin.sol
│ ├── Base.sol
│ ├── Executor.sol
│ ├── Getters.sol
│ └── Mailbox.sol
├── interfaces
│ ├── IAdmin.sol
│ ├── IExecutor.sol
│ ├── IGetters.sol
│ ├── ILegacyGetters.sol
│ ├── IMailbox.sol
│ ├── IVerifier.sol
│ └── IZkSync.sol
└── libraries
└── TransactionValidator.sol
Repository era-system-contracts:
├── bootloader
│ └── bootloader.yul
└── contracts
├── Compressor.sol
├── L1Messenger.sol
└── interfaces
└── IMailbox.sol
The system upgrade introduces changes to the short-term fee model. With the new implementation on Layer 2 (L2), the operator is responsible for providing two variable values: L2 gas price and pubdata price. On Layer 1 (L1), these values are calculated within the contracts. The L2 gas price is expected to include the potential contribution of the usage of a single gas unit for sealing the batch. It is calculated based on the configurable minimal calculation cost, batch overhead, and the gas needed to seal the batch.
The pubdata price is expected to include the potential contribution of the usage of a single pubdata byte for sealing the batch. It is calculated based on the gas price on L1 and the maximum number of pubdata that can be published in a single batch. This provides a high degree of flexibility to the operator and can be adjusted according to market conditions.
This upgrade does not introduce new roles to the system. A new administrative functionality of changing fee parameters for L1-to-L2 transactions has been added, and can only be executed by an account having the Governor role. Thus, any account possessing the Governor role is considered to be a trusted party.
v1.4.1-integration Diff AuditThe short-term fee model changes are derived from the code present in the era-contract repository, in the v1.4.1-integration branch, at commit 518bfff, and in the era-system-contracts repository, at commit ef0eb0c. Consequently, all issues identified in the v1.4.1-integration audit must be incorporated into the short-term fee model.
Consider merging all fixes from the v1.4.1-integration branch audit into the sb-short-term-fee-model branch of the era-contracts and era-system-contracts repositories.
Update: Resolved in pull request #160 at commit 4e1dfc7 and pull request #105 at commit d85d7d0.
The short-term fee model upgrade involves updating the OpenZeppelin Contracts library from version 4.8.0 to 4.9.2. However, the latest version of the OpenZeppelin Contracts library is 4.9.5 which addresses several security issues.
While these security issues do not directly impact the current implementation of the contracts in scope, consider updating the library to the newest version.
Update: Resolved in pull request #128 at commit bf5905d.
In the Admin contract, the changeFeeParams function, callable by the Governor, modifies the parameters for deriving the gas price in L1-to-L2 transactions. To prevent potential system failure due to misconfiguration, it is recommended to validate whether the provided value for maxPubDataPerBatch exceeds priorityTxMaxPubdata.
Consider validating the input values for maxPubDataPerBatch and priorityTxMaxPubdata to prevent misconfigurations.
Update: Resolved in pull request #129 at commit d59b22d.
The proposed changes to the short-term fee model lack tests that could confirm the correctness of the implementation. The following areas require additional testing:
changeFeeParams function of the Admin contractbootloaderConsider adding tests to enhance the quality and safety of the codebase.
Update: Resolved in pull request #95 at commit 80b1869, pull request #131 at commit 85a1b12.
The logic of calling getFeeParams function and calculating the baseFee is implemented outside of the proved batch section. This leads to a scenario whereby the baseFee is calculated for the playground batch as well.
Consider moving the initialization of baseFee and the calling of getFeeParams to the proved batch section.
Update: Resolved in pull request #93 at commit 2546b0a.
Throughout the codebase, there are multiple instances of unused code:
getBatchOverheadEth function of bootloadertxGasLimitConsider removing all unused code to improve the readability and clarity of the codebase.
Update: Resolved in pull request #94 at commit fc9ba75.
In the Mailbox contract, the parameter _gasPricePerPubdata of the _deriveL2GasPrice function has a misleading name. Despite its current name, it does not represent a price in wei but rather a gas value per pubdata byte. The given name is rather unintuitive and makes the code harder to read.
Consider renaming the _gasPricePerPubdata parameter for improved readability.
Update: Resolved in pull request #130 at commit 9e45fb4.
The system upgrade alters the short-term fee model on L2, shifting responsibility to the operator for determining L2 gas price and pubdata values. Unlike L1, these values on L2 factor in sealing batch costs, providing flexibility based on market conditions.
The audit did not reveal any significant issues with the changes made to the short-term fee model. Various recommendations have been made to enhance the quality and documentation of the codebase. We found the dedicated documentation provided by Matter Labs team to be very helpful in understanding the audited code changes. Furthermore, the Matter Labs team was very responsive throughout the audit period and answered any questions we had in a timely manner.