sherlock-audit / 2023-09-perennial-judging

0 stars 0 forks source link

0xVinylDavyl - The contract uses a constant gas buffer (`GAS_BUFFER`) set to 100,000, which may not be sufficient for complex operations, potentially leading to transaction failures or inconsistent states. #14

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

0xVinylDavyl

medium

The contract uses a constant gas buffer (GAS_BUFFER) set to 100,000, which may not be sufficient for complex operations, potentially leading to transaction failures or inconsistent states.

Summary

The contract uses a constant gas buffer (GAS_BUFFER) set to 100,000, which may not be sufficient for complex operations, potentially leading to transaction failures or inconsistent states.

Vulnerability Detail

The vulnerability lies in the assumption of a constant gas buffer (GAS_BUFFER). This approach may not account for varying gas requirements, especially when Ethereum's gas prices are high. Complex operations or unexpected conditions during execution may exceed the specified gas buffer.

Impact

If the gas buffer is insufficient for certain transactions, they may fail to execute completely, resulting in wasted gas fees and leaving the contract in an inconsistent state. This could potentially impact the contract's functionality and security.

Code Snippet

of the vulnerable constant gas buffer in the code: https://github.com/sherlock-audit/2023-09-perennial/blob/main/perennial-v2/packages/perennial-extensions/contracts/MultiInvoker.sol#L20

uint256 public constant GAS_BUFFER = 100000; // solhint-disable-line var-name-mixedcase

Tool used

Manual Review

Recommendation

Mitigating the gas limitations and make gas estimation more flexible, consider using the gasleft() function to determine the required gas for transactions dynamically. This approach allows the contract to adapt to varying gas requirements and avoid running out of gas during complex or unexpected operations.

Recommendation of how to use gasleft() for gas estimation:

// Function with dynamic gas estimation
function executeWithDynamicGas() external {
    // Estimate gas consumption
    uint256 gasRequired = gasleft();

    // operations...

    // Check if there's enough gas to complete the transaction
    require(gasleft() >= gasRequired, "Insufficient gas");

}

By using gasleft(), you can accurately estimate the required gas for transactions and ensure that the contract has enough gas to complete operations successfully. This approach provides greater flexibility and resilience to varying gas conditions on the Ethereum network.

sherlock-admin commented 1 year ago

5 comment(s) were left on this issue during the judging contest.

panprog commented:

invalid because GAS_BUFFER is like a bonus for keeper, not intended to cover remaining gas in the transaction

n33k commented:

invalid, ai generated groundless report

0xyPhilic commented:

invalid because it is a design choice

darkart commented:

Informational/Low while its a good recomendation it is working as intended and there is no vulnerability there

polarzero commented:

Invalid. Again, this is a valid concern, but it is not significant enough to be considered as a medium/high severity issue.