search

code-423n4 / 2024-03-taiko-findings

3 stars 2 forks source link

Gas Limit Vulnerability in ERC1155Vault's `onMessageInvocation` Function #80

Closed c4-bot-2 closed 5 months ago

c4-bot-2 commented 6 months ago

Lines of code

https://github.com/code-423n4/2024-03-taiko/blob/f58384f44dbf4c6535264a472322322705133b11/packages/protocol/contracts/tokenvault/ERC1155Vault.sol#L112

Vulnerability details

Impact

Failure to enforce gas limits in the onMessageInvocation function of ERC1155Vault increases the susceptibility of the contract to gas exhaustion attacks, potentially resulting in denial-of-service (DoS) scenarios and disrupting contract functionality.

Proof of Concept

The onMessageInvocation function in the ERC1155Vault contract is responsible for processing messages received from the source chain and initiating the transfer of ERC1155 tokens and Ether to designated addresses on the destination chain. However, within this function, there exists a critical vulnerability due to the absence of explicit gas limit enforcement during Ether transfers.

In Ethereum smart contracts, gas is a fundamental unit used to measure computational effort and determine the cost of executing transactions. Each transaction specifies a gas limit, which is the maximum amount of gas the sender is willing to consume for transaction execution. If the gas consumption exceeds this limit, the transaction is reverted, and any changes made during execution are rolled back.

The vulnerable code snippet within the onMessageInvocation function is as follows:

to.sendEther(msg.value); // Gas limit not explicitly enforced

This line initiates the transfer of Ether to the designated recipient address to, using the sendEther function from the LibAddress library. However, the function call does not specify a gas limit for the transaction. Without an explicitly enforced gas limit, the transaction can potentially consume an excessive amount of gas during execution, leading to out-of-gas exceptions. The impact of this vulnerability can be severe. Without gas limit enforcement, an attacker could craft malicious transactions designed to consume all available gas during execution. This could result in gas exhaustion, causing the transaction to revert and disrupting the intended functionality of the contract. In worst-case scenarios, such attacks could lead to denial-of-service (DoS) attacks, rendering the contract temporarily or permanently unusable.

Tools Used

Manual

Recommended Mitigation Steps

Enforce a gas limit when transferring Ether within the onMessageInvocation function. This can be achieved by passing a gas limit parameter to the sendEther function, ensuring that the transaction has a maximum gas limit specified for execution:

// Inside onMessageInvocation function
to.sendEther(msg.value, _op.gasLimit); // Enforce gas limit

Assessed type

Context

c4-pre-sort commented 5 months ago

minhquanym marked the issue as insufficient quality report

minhquanym commented 5 months ago

Invalid

c4-judge commented 5 months ago

0xean marked the issue as unsatisfactory: Invalid