Incorrect Execution Fee Handling in `PerpetualVault._payExecutionFee`
Summary
The execution fee in the PerpetualVault._payExecutionFee function is calculated using tx.gasprice, which can vary significantly. This can lead to insufficient fees if gas prices spike, causing transactions to fail or be delayed.
Vulnerability Details
The _payExecutionFee function calculates the minimum execution fee using the current transaction's gas price (tx.gasprice). Gas prices can fluctuate significantly, especially during periods of high network congestion. If the gas price spikes after the execution fee is calculated but before the transaction is mined, the calculated fee may become insufficient, leading to failed transactions.
Root Cause:
The execution fee is calculated using tx.gasprice, which can vary significantly, leading to insufficient fees if gas prices spike.
Proof of Concept:
-
Code Analysis:
function _payExecutionFee(uint256 depositId, bool isDeposit) internal {uint256 minExecutionFee = getExecutionGasLimit(isDeposit) * tx.gasprice;if (msg.value < minExecutionFee) {revert Error.InsufficientAmount();}if (msg.value > 0) {payable(address(gmxProxy)).transfer(msg.value);depositInfo[depositId].executionFee = msg.value;}} -
Example Scenario:
Execution Fee Calculation:
Assume the gas price at the time of calculation is 50 gwei.
The execution fee is calculated as
getExecutionGasLimit(isDeposit) * 50 gwei.
Gas Price Spike:
Before the transaction is mined, the gas price spikes to 100 gwei.
The calculated execution fee is now insufficient to cover the increased gas cost.
Transaction Failure:
The transaction fails due to insufficient execution fees.
The user needs to resubmit the transaction with a higher fee, causing delays and additional costs.
-
** Unit Test: copy and paste to**
PerpetualVault.t.solfunction test_InsufficientExecutionFee() external {address keeper = PerpetualVault(vault).keeper();address alice = makeAddr("alice");depositFixture(alice, 1e10);// Simulate a gas price spikeuint256 initialGasPrice = tx.gasprice;uint256 spikedGasPrice = initialGasPrice * 2;// Set the gas price to the spiked valuevm.txGasPrice(spikedGasPrice);// Attempt to deposit with the initial execution feeuint256 executionFee = PerpetualVault(vault).getExecutionGasLimit(true) * initialGasPrice;vm.startPrank(alice);IERC20 collateralToken = PerpetualVault(vault).collateralToken();collateralToken.approve(vault, 1e10);vm.expectRevert(Error.InsufficientAmount.selector);PerpetualVault(vault).deposit{value: executionFee}(1e10);vm.stopPrank();}
Impact
Failed transactions due to insufficient execution fees can cause delays in processing deposits and withdrawals, leading to stuck operations and a poor user experience. Users may need to resubmit transactions with higher fees, incurring additional costs and delays.
Tools Used
Manual
Recommendations
To prevent insufficient execution fees due to gas price fluctuations, consider implementing a buffer or using a more stable mechanism for calculating the execution fee. One approach is to add a buffer to the calculated fee:
You can also consider to use
maxGasCosttechnique as recommended in this report below:
https://solodit.cyfrin.io/issues/m-02-maker-order-buyer-is-forced-to-reimburse-the-gas-cost-at-any-txgasprice-code4rena-infinity-nft-marketplace-infinity-nft-marketplace-contest-git
Lead Judging Commences
invalid_tx-gasprice_instable
The frontrunner won’t trigger "congestion" without a huge amount of transactions, and it will cost a lot. Moreover, the execution gas limit is overestimated to prevent such cases: ``` executionGasLimit = baseGasLimit + ((estimatedGasLimit + _callbackGasLimit) * multiplierFactor) / PRECISION; ``` The keeper won’t wait long to execute the order; otherwise, GMX would not be competitive.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.