Adversary can cause malicious slashing of operators by setting gas price low

[code423n4]

Lines of code

https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographOperator.sol#L301-L439

Vulnerability details

Impact

Operators are maliciously slashed

Proof of Concept

The gas price and limit can be set to whatever the user wishes when calling the bridge. A malicious user could set the gas prices to be low for current chain conditions. This would allow them to use up the operators grace period, after which the executeJob function can be called by anyone. Once gas fees drop they frontrun the operator to slash them and take their stake.

Example:

Gas prices on destination chain is 30 gwei but are typically around 10 gwei. The malicious user sends transactions with a gas limit of 10. After 30 minutes the gas fees are under 10 gwei. The malicious user frontruns all the operators, slashing them all and taking their stake. The adversary can send extremely low value transactions between low fee chains. If the operator beats them to it then they are only out a small amount of gas and can keep retrying.

Tools Used

Manual Review

Recommended Mitigation Steps

Gasprice should be check when calling crossChainMessage and be compared against the current gas price. It should revert if specified gas price is too far from current gas price.

[Minh-Trng]

only the primary operator can get slashed, and he does not have restrictions on the gas price as the fallback-operators have

[gzeoneth]

https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographOperator.sol#L354 only applies if job.operator != msg.sender

[ACC01ADE]

I agree with the assessment that the particular example is not valid. But this would be an issue of front-running if the operator does not decide to operate above set job gas limits. Which I think would fall out of scope since that logic is not part of the audit.