code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/ulysses-omnichain/RootBridgeAgent.sol#L811 https://github.com/anyswap/multichain-smart-contracts/blob/645d0053d22ed63005b9414b5610879094932304/contracts/anycall/v7/AnycallV7Config.sol#L204

Vulnerability details

Impact

The premium is not taken into account when calculating minExecCost in _payExecutionGas. Transaction may cosume more gas than what has been replenished.

Proof of Concept

function _payExecutionGas(uint128 _depositedGas, uint128 _gasToBridgeOut, uint256 _initialGas, uint24 _fromChain) internal {
    ......
    uint256 minExecCost = tx.gasprice * (MIN_EXECUTION_OVERHEAD + _initialGas - gasleft());
    if (minExecCost > availableGas) {
        _forceRevert();
        return;
    }
    _replenishGas(minExecCost);
    ......
}

The gas price is determined as tx.gasprice in _payExecutionGas, but the actual charge is tx.gasprice + _feeData.premium. A malicious user can consume an arbitrarily large amount of gas by making external calls at virtual account to generate shortfall. By repeating so, the gas budget of bridge agent will be depleted, and the entire system will become inoperable.

function chargeFeeOnDestChain(address _from, uint256 _prevGasLeft) external onlyAnycallContract {
    if (!_isSet(mode, FREE_MODE)) {
        uint256 gasUsed = _prevGasLeft + EXECUTION_OVERHEAD - gasleft();
        uint256 totalCost = gasUsed * (tx.gasprice + _feeData.premium);
        uint256 budget = executionBudget[_from];
        require(budget > totalCost, "no enough budget");
        executionBudget[_from] = budget - totalCost;
        _feeData.accruedFees += uint128(totalCost);
    }
}

Tools Used

Manual

Recommended Mitigation Steps

Replace tx.gasprice by tx.gasprice + premium

Assessed type

DoS

c4-judge commented 1 year ago

trust1995 marked the issue as duplicate of #612