The line gas_limit = Weight::from_parts(gas_limit, 0).set_proof_size(u64::MAX); sets the proof size, an additional gas cost associated with contract execution, to the maximum unsigned 64-bit integer value (u64::MAX). This removes any restrictions on gas consumption for proofs.
Proof of Concept
An attacker could craft a transaction with a low gas_limit value but embed a very large proof size. Since there's no upper bound on the proof size due to setting it to u64::MAX, the gas consumption can escalate beyond the intended limit, potentially causing resource exhaustion and Ddos attack
Tools Used
Manual Inspection
Recommended Mitigation Steps
The proof size should be calibrated based on the actual storage requirements of transaction
let gas_limit = Weight::from_parts(gas_limit, 0).set_proof_size(u64::PROOF_SIZE_LIMIT);
Lines of code
https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/runtime/src/contract.rs#L164
Vulnerability details
Impact
The line
gas_limit = Weight::from_parts(gas_limit, 0).set_proof_size(u64::MAX);
sets the proof size, an additional gas cost associated with contract execution, to the maximum unsigned 64-bit integer value(u64::MAX)
. This removes any restrictions on gas consumption for proofs.Proof of Concept
An attacker could craft a transaction with a low
gas_limit
value but embed a very large proof size. Since there's no upper bound on the proof size due to setting it tou64::MAX
, the gas consumption can escalate beyond the intended limit, potentially causing resource exhaustion and Ddos attackTools Used
Manual Inspection
Recommended Mitigation Steps
The proof size should be calibrated based on the actual storage requirements of transaction
let gas_limit = Weight::from_parts(gas_limit, 0).set_proof_size(u64::PROOF_SIZE_LIMIT);
Assessed type
Other