Risk of gas drain in external contract calls
Summary
An examination of GMXDeposit.sol, GMXVault.sol, and GMXWithdraw.sol within the GMX strategy contracts reveals a critical oversight concerning gas usage in external calls. This vulnerability could be exploited to deplete the transaction's gas, potentially causing operational disruptions.
Vulnerability Details
The contracts make external calls without specifying a gas limit:
These calls risk all the available gas being consumed by the callee, leading to potential transaction failures or denial of service if the callee contains a fallback function or other operations that are gas-intensive.
Impact
-
Malicious actors or erroneous contracts could intentionally use up the transaction's gas, leading to repeated transaction failures.
-
Transactions could revert if they run out of gas, disrupting intended functionalities and financial flows.
-
Exhausting gas before the completion of subsequent operations in a transaction can lead to unanticipated states or loss of funds.
Tools Used
Manual review
Recommendations
To address this issue, it is advised to:
Explicit Gas Limitation: Amend external calls to include specific gas limits, for example, addr.call{value: msg.value, gas: 10000}("").
Adoption of Safer External Call Practices: Utilize libraries like ExcessivelySafeCall that enforce safer external call patterns with fixed gas limits.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.