Inaccurate gas price estimation on arbitrum
Summary
The contracts make extensive use tx.gasprice code to estimate gas costs. These calculations wil be inaccurate when contracts are deployed on arbitrum.
Vulnerability Details
The functions createOrder, settle, mint, _payExecutionFee, _handleReturn
According to https://support.avax.network/en/articles/6169826-how-are-gas-fees-calculated
With the introduction of dynamic fees, legacy-style transactions that only have a single gas price parameter can lead to both delayed transactions and overpaying for transactions. Dynamic fee transactions are the solution! For more info, read this.
For the dynamic fee algorithm, when a block is produced or verified, we look over the past 10s to see how much gas has been consumed within that window (with an added charge for each block produced in that window) to determine the current network utilization. This window has a target utilization, which is currently set to 15M gas units.
Feel like the user can steal choose to pay the low execution fee, which is bad for GMX
Errr I cannot find any solid explanation of how the tx.gasprice determined in arbtrium network.
some user pays very high execution fee and some user pays low execution fee because of the usage of the tx.gasprice
The tx.gasprice can fluctuate a lot based on the metric of the business of the network.
It is possible that the user underpays the execution fee in a less busy time but the keeper has to pay additional gas fee to execute the order.
In arbtrium, the gas estimation has a different mechanism
https://developer.arbitrum.io/arbos/gas#estimating-gas
The L2 component consists of the traditional fees geth would pay to stakers in a vanilla L1 chain, such as the computation and storage charges applying the state transition function entails. ArbOS charges additional fees for executing its L2-specific precompiles, whose fees are dynamically priced according to the specific resources used while executing the call.
https://developer.arbitrum.io/arbos/gas#gas-price-floor
The L2 gas price on a given Arbitrum chain has a set floor, which can be queried via ArbGasInfo.getMinimumGasPrice (currently 0.1 gwei on Arbitrum One and 0.01 gwei on Nova).
The code does not use ArbGasinfo to check the updated L2 Gas price
https://arbiscan.io/address/0x000000000000000000000000000000000000006c#readContract
Resources:
https://github.com/OffchainLabs/nitro/blob/master/precompiles/ArbGasInfo.go
and
https://developer.arbitrum.io/arbos/common-precompiles
see ArbGasInfo
Impact
Users can heavily underpay the gas fee because of the lack of gas estimation check, especially on arbitrum, the protocol has to stipend the gas out of his own pocket to execute the order.
Tools Used
Manual Review
Recommendations
Recommend using the ArbGasInfo gas check on arbitrum.
Lead Judging Commences
invalid_tx-gasprice_instable
The frontrunner won’t trigger "congestion" without a huge amount of transactions, and it will cost a lot. Moreover, the execution gas limit is overestimated to prevent such cases: ``` executionGasLimit = baseGasLimit + ((estimatedGasLimit + _callbackGasLimit) * multiplierFactor) / PRECISION; ``` The keeper won’t wait long to execute the order; otherwise, GMX would not be competitive.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.