search

code-423n4 / 2022-11-size-findings

1 stars 0 forks source link

The hardcoded gas limit for the precompile call #329

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-11-size/blob/main/src/util/ECCMath.sol#L28

Vulnerability details

Vulnerability details

Description

There is an ecMul function in the ECCMath library. The function performs a call to the eponymous precompile. The gas limit for the precompile call is hardcoded. 

    address(0x07).staticcall{gas: 6000}(data);

There is no guarantee that the same cost will stay for future EVM updates / Ethereum hardforkes. Over the entire history of the Ethereum development, precompiles calls were recalculated many times. For example, the ecMul precompile cost 5000 gas at the Byzantium hardfork, and 6000 gas after. All in all, the cost of calling this precompile may increase.

Thereby, the ecMul function from the ECCMath may stop working after one of the network upgrades, because hardcoded amount of gas would be not enough.

Impact

The finalize function from the SizeSealed smart contract may stop working. That breaks the whole auction logic.

Recommended Mitigation Steps

Make a gas limit for precompile call as a user-provided parameter (calldata).

trust1995 commented 2 years ago

I believe this is a QA issue. Gas cost may or may not increase. In the event it does, the auctioning activity would be routed to a new contract with the correct gas amount. No harm done.

c4-judge commented 2 years ago

0xean changed the severity to QA (Quality Assurance)

c4-judge commented 2 years ago

0xean marked the issue as grade-c