# List of Known Bugs

Below you will find a JSON-formatted list of known security-relevant bugs. The file itself is hosted in this GitHub repository. This list was started on January 1, 2022, and covers Version 5.2 and forward.

The JSON file of known vulnerabilities is a list of objects, one for each vulnerability, with the following keys:

name: unique name given to vulnerability

uid: unique identifier of the vulnerability of format ZKSYNC1-<year>-<sequential id>

summary: short description of the vulnerability

description: detailed description of the vulnerability

links: list of relevant URLs with more detailed information (optional)

introduced: the first published zkSync version that contained the vulnerability

fixed: the first published zkSync version that did not contain the vulnerability anymore

severity: severity of the vulnerability: low, medium, high, critical taking into account the severity of impact and likelihood of exploitation

    "name": "SELFDESTRUCT main via delegatecall",
    "uid": "ZKSYNC1-2021-01",
    "summary": "The Proxy’s target code allowed setting the main zkSync contract to SELFDESTRUCT, resulting in a freeze of user funds.",
    "description": "The initialize function in the zkSync main contract could be called on the target contract with any parameters at any time, allowing anyone to set additionalZkSync in the target contract storage to any address. If the attacker sets additionalZkSync to an address that would execute the SELFDESTRUCT opcode on any entry, and then call any function on the zkSync main contract that uses logic from additionalZkSync via delegatecall, the main zkSync target contract could have been destroyed and all funds would have been frozen. Funds could not be stolen because the Proxy contract owns the rollup assets and it did not contain a vulnerability, only the code of the Proxy’s target.",
    "links": "https://zksync.io/dev/security/ZKSYNC1-2021-01",
    "introduced": "v5.1",
    "fixed": "v5.2",
    "severity": "Critical"

Extended description is available HERE

Last Updated: 5/26/2022, 10:30:35 PM