Issue seems to be resolved.
The issue was that attacker might cause the quantity() function to be called with little to no gas, and now the function ensures that it’s being called with at least 100K gas.
100K gas seems to be enough for most cases (esp. considering it’s a view function) but there might be some edge cases when it’s not enough (considering that the implementation for refPerTok() might change depending on the asset).
However, I can’t recommend any specific number, since we can always say there might be an edge case where it’d cost more than that (in fact this issue stems from mitigating an issue that claims we might encounter a case where refPerTok() would consume more gas than the block gas limit).
Lines of code
Vulnerability details
Issue seems to be resolved. The issue was that attacker might cause the
quantity()
function to be called with little to no gas, and now the function ensures that it’s being called with at least 100K gas.100K gas seems to be enough for most cases (esp. considering it’s a view function) but there might be some edge cases when it’s not enough (considering that the implementation for
refPerTok()
might change depending on the asset). However, I can’t recommend any specific number, since we can always say there might be an edge case where it’d cost more than that (in fact this issue stems from mitigating an issue that claims we might encounter a case whererefPerTok()
would consume more gas than the block gas limit).