Skip to content

Address RES-NODL-BRD01 #94

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
aliXsed merged 9 commits into from
Sep 26, 2025
Merged

Address RES-NODL-BRD01 #94

aliXsed merged 9 commits into from
Sep 26, 2025

Conversation

@aliXsed
Copy link
Collaborator

@aliXsed aliXsed commented Sep 17, 2025

This pull request introduces important safety and usability improvements to the L1Nodl and L1Bridge contracts. The main updates include enhanced input validation to prevent zero address errors, new helper functions for quoting L2 execution costs, and a minor fix to the withdrawal finalization process.

The suggestions from Resonance Security audit are mostly taken except for the followings:

  • RES-01 “Unbounded ETH Forwarded to Mailbox”: We retain the exact-match ETH forwarding model (no capping/refund) to minimize avoidable failures and align with zkSync BridgeHub’s design, which shifts fee calculation to caller/off-chain code. However, we add helpers to allow integrators pre-compute msg.value without calling Mailbox directly.
  • RES-02 Pausing Contracts Block Deposit Finalization: We consider the current functionality which pauses all major interactions with the bridge as the intended behavior. Many other production bridges do block finalization when the bridge is paused. Since for us "pause" is intended only for emergency situations, we can make this more conservative decision.

@aliXsed
feat(L1Bridge): add view helpers to quote ETH needed for L2 execution
8a99a8e 
Address RES-01 “Unbounded ETH Forwarded to Mailbox” from Resonance’s audit by exposing read-only helpers that return the exact base cost as computed by the zkSync Mailbox. We retain the exact-match ETH forwarding model (no capping/refund) to minimize avoidable failures and align with zkSync BridgeHub’s design, which shifts fee calculation to caller/off-chain code.
The added helpers will let integrators pre-compute msg.value without calling Mailbox directly.
@aliXsed
fix(L1Nodl): address RES-03 Missing Zero Address Validation On L1Nodl…
ddd2bf3 
….constructor()
@aliXsed
fix(L1Bridge): address RES-04 Missing Zero Address Validation On depo…
87386b5 
…sit()
@aliXsed
fix(L1Bridge): follow CEI Pattern more strictly to address RES-05
d119688
@aliXsed
chore: accept Frontends spelling
8ae09c5
@aliXsed
test: cover L1Nodl and L1Bridge changes
3c7fa1c
@aliXsed
test(L1Bridge): adjust tests to be deterministic across environments
812a36a
@aliXsed
test(L1Bridge): fix CI
cc28b71
@aliXsed
test(L1Bridge): fix CI 2
47b862a
@aliXsed aliXsed merged commit fe5f1ff into main Sep 26, 2025
1 check passed
@aliXsed aliXsed deleted the aliX/address-audit-comments branch September 26, 2025 02:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aliXsed