Failure to enforce gas limits in the onMessageInvocation function of ERC1155Vault increases the susceptibility of the contract to gas exhaustion attacks, potentially resulting in denial-of-service (DoS) scenarios and disrupting contract functionality.
Proof of Concept
The onMessageInvocation function in the ERC1155Vault contract is responsible for processing messages received from the source chain and initiating the transfer of ERC1155 tokens and Ether to designated addresses on the destination chain. However, within this function, there exists a critical vulnerability due to the absence of explicit gas limit enforcement during Ether transfers.
In Ethereum smart contracts, gas is a fundamental unit used to measure computational effort and determine the cost of executing transactions. Each transaction specifies a gas limit, which is the maximum amount of gas the sender is willing to consume for transaction execution. If the gas consumption exceeds this limit, the transaction is reverted, and any changes made during execution are rolled back.
The vulnerable code snippet within the onMessageInvocation function is as follows:
to.sendEther(msg.value); // Gas limit not explicitly enforced
This line initiates the transfer of Ether to the designated recipient address to, using the sendEther function from the LibAddress library. However, the function call does not specify a gas limit for the transaction. Without an explicitly enforced gas limit, the transaction can potentially consume an excessive amount of gas during execution, leading to out-of-gas exceptions.
The impact of this vulnerability can be severe. Without gas limit enforcement, an attacker could craft malicious transactions designed to consume all available gas during execution. This could result in gas exhaustion, causing the transaction to revert and disrupting the intended functionality of the contract. In worst-case scenarios, such attacks could lead to denial-of-service (DoS) attacks, rendering the contract temporarily or permanently unusable.
Tools Used
Manual
Recommended Mitigation Steps
Enforce a gas limit when transferring Ether within the onMessageInvocation function. This can be achieved by passing a gas limit parameter to the sendEther function, ensuring that the transaction has a maximum gas limit specified for execution:
// Inside onMessageInvocation function
to.sendEther(msg.value, _op.gasLimit); // Enforce gas limit
Lines of code
https://github.com/code-423n4/2024-03-taiko/blob/f58384f44dbf4c6535264a472322322705133b11/packages/protocol/contracts/tokenvault/ERC1155Vault.sol#L112
Vulnerability details
Impact
Failure to enforce gas limits in the
onMessageInvocation
function of ERC1155Vault increases the susceptibility of the contract to gas exhaustion attacks, potentially resulting in denial-of-service (DoS) scenarios and disrupting contract functionality.Proof of Concept
The
onMessageInvocation
function in theERC1155Vault
contract is responsible for processing messages received from the source chain and initiating the transfer of ERC1155 tokens and Ether to designated addresses on the destination chain. However, within this function, there exists a critical vulnerability due to the absence of explicit gas limit enforcement during Ether transfers.In Ethereum smart contracts, gas is a fundamental unit used to measure computational effort and determine the cost of executing transactions. Each transaction specifies a gas limit, which is the maximum amount of gas the sender is willing to consume for transaction execution. If the gas consumption exceeds this limit, the transaction is reverted, and any changes made during execution are rolled back.
The vulnerable code snippet within the onMessageInvocation function is as follows:
This line initiates the transfer of Ether to the designated recipient address
to
, using thesendEther
function from theLibAddress
library. However, the function call does not specify a gas limit for the transaction. Without an explicitly enforced gas limit, the transaction can potentially consume an excessive amount of gas during execution, leading to out-of-gas exceptions. The impact of this vulnerability can be severe. Without gas limit enforcement, an attacker could craft malicious transactions designed to consume all available gas during execution. This could result in gas exhaustion, causing the transaction to revert and disrupting the intended functionality of the contract. In worst-case scenarios, such attacks could lead to denial-of-service (DoS) attacks, rendering the contract temporarily or permanently unusable.Tools Used
Manual
Recommended Mitigation Steps
Enforce a gas limit when transferring Ether within the
onMessageInvocation
function. This can be achieved by passing a gas limit parameter to thesendEther
function, ensuring that the transaction has a maximum gas limit specified for execution:Assessed type
Context