Submission Details
Severity:
Gas grief possible on unsafe external calls
Summary
No gas limit is explicitly defined, allowing the recipient to consume all of the transaction's gas, leading to a revert.
Vulnerability Details
function claimRewards() external {
ITokenManager.Token[] memory _tokens = ITokenManager(tokenManager).getAcceptedTokens();
for (uint256 i = 0; i < _tokens.length; i++) {
ITokenManager.Token memory _token = _tokens[i];
uint256 _rewardAmount = rewards[abi.encodePacked(msg.sender, _token.symbol)];
if (_rewardAmount > 0) {
delete rewards[abi.encodePacked(msg.sender, _token.symbol)];
if (_token.addr == address(0)) {
(bool _sent,) = payable(msg.sender).call{value: _rewardAmount}("");
require(_sent);
} else {
IERC20(_token.addr).transfer(msg.sender, _rewardAmount);
}
And
function removeCollateralNative(uint256 _amount, address payable _to) external onlyOwner {
require(canRemoveCollateral(getTokenManager().getToken(NATIVE), _amount), UNDER_COLL);
(bool sent,) = _to.call{value: _amount}("");
require(sent, "err-native-call");
emit CollateralRemoved(NATIVE, _amount, _to);
}
Impact
A malicious actor has the potential to carry out a gas griefing attack on a relayer. Gas griefing attacks, lacking economic incentives for the attacker, depend on the participation of relayers to be effective.
Tools Used
Manual Review
Recommendations
To address this, consider using addr.call{gas: <amount>}("") or leverage the capabilities of the ExcessivelySafeCall library to ensure more controlled and secure execution of calls.
Updates
Lead Judging Commences
hrishibhat over 1 year ago
Submission Judgement Published Reason: Incorrect statement
Assigned finding tags:
informational/invalid
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
60933 USDC / LOC
17,500 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.