[SDK] Securing Atomic Transactions on zkSync: Strategies and Challenges

[codeesura]

Environment

Mainnet

Acknowledgement

• I understand that issues are expected with the Go SDK as they are being updated.

Issue Description

I am working with a smart contract on zkSync that includes claim and transfer functions. The challenge is ensuring that both functions are executed in the same block to prevent a hacker-controlled bot from intercepting or redirecting the assets. This bot immediately transfers any ETH sent to the compromised wallet, making direct interactions with the wallet's funds risky.

Expected Behavior

The ideal solution would enable me to securely claim assets from a compromised wallet and subsequently transfer them to a safe wallet within the same block on zkSync. This atomic execution is crucial to prevent a hacker-controlled bot from intercepting the assets during the transfer process. Once the claim function validates the conditions and confirms the user's entitlement to the assets, the assets should be immediately redirected to a secure wallet, ensuring no delay or opportunity for external interference.

Code Example

Below is a sample smart contract illustrating the claim function used in this scenario. This function is part of a larger process to recover and securely transfer assets from a compromised wallet on zkSync:

function claim() public {
    require(block.number >= claimPeriodStart, "claim not started");
    require(block.number < claimPeriodEnd, "claim ended");

    uint256 amount = claimableTokens[msg.sender];
    require(amount > 0, "nothing to claim");

    claimableTokens[msg.sender] = 0;

    require(token.transfer(msg.sender, amount), "fail token transfer");
    emit HasClaimed(msg.sender, amount);
}

This code serves as an example of how assets are claimed in a smart contract environment on the zkSync platform. The claim function performs crucial checks to ensure that the claim period is active and that the caller has a legitimate claim to tokens. Upon meeting these conditions, it zeroes the caller's claimable tokens and initiates a transfer of these tokens to their address.

However, I'm currently facing a challenge in ensuring that the token transfer executed by this claim function and any subsequent transfers of these tokens to a secure wallet can be performed within the same block. This simultaneous execution is essential to prevent any potential interference from malicious actors or bots associated with the compromised wallet. If anyone has insights or strategies on how to achieve atomic transactions within the same block on zkSync, your advice would be invaluable.

Repo Link (Optional)

No response

[bxpana]

Thanks for the post, will take some time to review and get back to you ASAP

[KingEniac]

Wow, founder answering, it this really awesome

[codeesura]

Any news ?

[bxpana]

Apologies for the delay here. I don't believe we have a way to do this right now but waiting on confirmation.

[githubdoramon]

@codeesura do I get it right that you can't change the claim function? BEcause if you can, you could have an additional param "address to" that you could transfer the assets from the original wallet.

Also, you you prepare and fire 2 txs from the same account in a tiny interval, most likely they will both be included in the same block.