Core Contracts

Overview

The executeBatch function in the provided smart contract is vulnerable to a gas griefing attack. This vulnerability arises due to the lack of safeguards when making external calls to addresses provided in the targets array. An attacker can exploit this by supplying a malicious smart contract address that executes an infinite loop or consumes an excessive amount of gas, causing the entire transaction to fail or become prohibitively expensive.

Vulnerability Details

1. Functionality of executeBatch:

   • The function iterates over an array of target addresses (targets) and sends Ether (values[i]) along with calldata (calldatas[i]) to each address using a low-level call operation.

   • The function does not validate whether the target addresses are EOA (Externally Owned Accounts) or smart contracts, nor does it impose any restrictions on the gas consumption of the external calls.

2. Gas Griefing Attack:

   • An attacker can supply a malicious smart contract address in the targets array.

   • The malicious contract can be designed to:

     • Execute an infinite loop, consuming all available gas.

     • Perform computationally expensive operations, causing the transaction to run out of gas.

   • Since the executeBatch function does not limit the gas supplied to each external call, the entire transaction can fail or become economically unviable due to excessive gas costs.

3. Impact:

   • Transaction Failure: If the malicious contract consumes all gas, the transaction will revert, preventing the execution of other legitimate calls in the batch.

   • Economic Exploitation: The attacker can force the transaction to consume an excessive amount of gas, increasing the cost of executing the batch operation.

   • Denial of Service (DoS): Repeated exploitation of this vulnerability can render the contract unusable, as legitimate users may be unable to execute batches due to high gas costs or transaction failures.

Proof of Concept (PoC)

Below is an example of a malicious contract that an attacker could deploy and include in the targets array.

When the executeBatch function attempts to send Ether to this contract, the infinite loop will consume all gas, causing the transaction to fail.

Recommendations

To mitigate this vulnerability, consider the following solutions:

1. Gas Limit for External Calls:

   • Impose a gas limit for each external call using call{gas: <limit>}. This ensures that even if a malicious contract

     (bool success, bytes memory returndata) = targets[i].call{value: values[i], gas: 50000}(calldatas[i]);

2. Validate Target Addresses:

   • Restrict the targets array to only allow EOAs (Externally Owned Accounts) or pre-approved smart contracts.

     require(targets[i].code.length == 0, "Only EOAs are allowed");

3. Batch Execution with Gas Checks:

   • Implement a mechanism to estimate the gas consumption of each external call before execution. If the estimated gas exceeds a predefined threshold, revert the transaction.