OMEN - Gas Abuse in Cross-Chain Messaging

[sherlock-admin2]

OMEN

High

Gas Abuse in Cross-Chain Messaging

Summary

The current implementation of gas calculation for cross-chain messaging in Optimism allows for potential abuse. Users could send messages with minimal value transfer but cause the protocol to use a disproportionately large amount of gas.

Vulnerability Detail

The baseGas function calculates the gas required for message relay, including several overhead factors. A user can manipulate this by sending a message with a small value but a large _minGasLimit, causing the protocol to reserve more gas than necessary.

Let's consider a scenario where a user sends a minimal value transaction but with a large _minGasLimit:

1. Assumptions:

   • _message.length = 100 bytes
   • _minGasLimit = 1,000,000 gas

2. Calculation:

   baseGas = 200,000                            // RELAY_CONSTANT_OVERHEAD
       + (100 * 16)                         // Calldata overhead
       + ((1,000,000 * 64) / 63)            // Dynamic overhead
       + 40,000                             // RELAY_CALL_OVERHEAD
       + 40,000                             // RELAY_RESERVED_GAS
       + 5,000                              // RELAY_GAS_CHECK_BUFFER
       = 200,000 + 1,600 + 1,015,873 + 40,000 + 40,000 + 5,000
       = 1,302,473 gas

   3.Analysis:

• The user's transaction might only require a fraction of the 1,000,000 gas limit.
• The protocol reserves 1,302,473 gas, which is significantly more than likely needed.
• The ratio of useful work to gas reserved is very low, potentially less than 1%.

Impact

Impact

1. Increased costs for the protocol or relayers
2. Potential DoS if gas limits are reached
3. Inefficient use of L1 resources

   Code Snippet

   function baseGas(bytes calldata _message, uint32 _minGasLimit) public pure returns (uint64) {
   return
   RELAY_CONSTANT_OVERHEAD
   + (uint64(_message.length) * MIN_GAS_CALLDATA_OVERHEAD)
   + ((_minGasLimit * MIN_GAS_DYNAMIC_OVERHEAD_NUMERATOR) / MIN_GAS_DYNAMIC_OVERHEAD_DENOMINATOR)
   + RELAY_CALL_OVERHEAD
   + RELAY_RESERVED_GAS
   + RELAY_GAS_CHECK_BUFFER;
   }

   https://github.com/sherlock-audit/2024-08-tokamak-network/blob/main/tokamak-thanos/packages/tokamak/contracts-bedrock/src/universal/CrossDomainMessenger.sol#L169-L196

Tool used

Manual Review

Recommendation

charge fee for gas price