This repository has been archived by the owner on Dec 10, 2023. It is now read-only.
KingNFT - Keepers can steal additional execution fee from users #199
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
Medium
A valid Medium severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
KingNFT
medium
Keepers can steal additional execution fee from users
Summary
The implementation of
payExecutionFee()
didn't take EIP-150 into consideration, a malicious keeper can exploit it to drain out all execution fee users have paid, regardless of the actual execution cost.Vulnerability Detail
The issue arises on
L55
ofpayExecutionFee()
, as it's anexternal
function, callingpayExecutionFee()
is subject to EIP-150.Only
63/64
gas is passed to theGasUtils
sub-contract(external library
), and the remaing1/64
gas is reserved in the caller contract which will be refunded to keeper(msg.sender
) after the execution of the whole transaction. But calculation ofgasUsed
includes this portion of the cost as well.A malicious keeper can exploit this issue to drain out all execution fee, regardless of the actual execution cost.
Let's take
executeDeposit()
operation as an example to show how it works:To simplify the problem, given
actualUsedGas
is the gas cost sincestartingGas
(L146 ofDepositHandler.sol
) but before callingpayExecutionFee()
(L221 ofExecuteDepositUtils.sol
)Let's say, the keeper sets
tx.gaslimit
to makestartingGas = 164K
Then the calculation of
gasUsed
, L55 ofGasUtils.sol
, would beand
As setting of
tx.gaslimit
doesn't affect the actual gas cost of the whole transaction, the excess gas will be refunded tomsg.sender
. Now, the keeper increasestx.gaslimit
to makestartingGas = 6500K
, the calculation ofgasUsed
would beand
We can see the keeper successfully drain out all execution fee, the user gets nothing refunded.
Impact
Keepers can steal additional execution fee from users.
Code Snippet
https://github.com/sherlock-audit/2023-04-gmx/blob/main/gmx-synthetics/contracts/gas/GasUtils.sol#L55
Tool used
Manual Review
Recommendation
The description in
Vulnerability Detail
section has been simplified. In fact,gasleft
value should be adjusted after each external call during the whole call stack, not just inpayExecutionFee()
.The text was updated successfully, but these errors were encountered: