Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Gas refund logic may lead to DDoS condition in the smart contracts #13

Open
0xM3R opened this issue Dec 11, 2024 · 1 comment · May be fixed by #24
Open

Gas refund logic may lead to DDoS condition in the smart contracts #13

0xM3R opened this issue Dec 11, 2024 · 1 comment · May be fixed by #24
Assignees
Labels

Comments

@0xM3R
Copy link

0xM3R commented Dec 11, 2024

Vulnerability Details

The onCall function refunds gas using payable(sender).call. This refund mechanism is prone to failure, potentially leading to denial-of-service conditions.

Related CVE:
CVE-2024-44445: This issue involved state manipulation attacks in a BSC smart contract, where attackers could inflate token balances, leading to increased profits without cost.

Analysis

The vulnerable implementation

(bool success, ) = payable(sender).call{value: gasAmount}("");
:

(bool success, ) = payable(sender).call{value: gasAmount}("");
if (!success) revert GasTokenTransferFailed();
  • The refund depends on successful execution of the external call.
  • Failure due to gas limits or recipient-side issues will halt execution.

How It Can Be Harmful

  • DoS Risks: Failed refunds can block execution.
  • Unexpected Behavior: Dependence on recipient’s external logic introduces risks of unforeseen failures.

PoC Code

Simulate a refund failure by sending funds to a contract with a rejecting fallback:

contract RejectRefund {
    fallback() external payable {
        revert();
    }
}

How to Mitigate the Issue

  1. Graceful Handling:
    Log refund failures instead of reverting:
    if (!success) emit RefundFailed(sender, gasAmount);
  2. Avoid Refunds:
    Remove the refund mechanism entirely to simplify contract logic.

References

@0xM3R 0xM3R changed the title Gas refund logic may lead to DDoS condition in the smart contract Gas refund logic may lead to DDoS condition in the UninversalNFT contract Dec 11, 2024
@0xM3R 0xM3R changed the title Gas refund logic may lead to DDoS condition in the UninversalNFT contract Gas refund logic may lead to DDoS condition in the smart contracts Dec 11, 2024
@0xM3R
Copy link
Author

0xM3R commented Dec 11, 2024

The same flawed logic has been implemented in the UniversalToken.sol as well.

(bool success, ) = payable(sender).call{value: amount}("");

(bool success, ) = payable(sender).call{value: amount}("");
if (!success) revert GasTokenTransferFailed();

@0xM3R 0xM3R added the Security label Dec 11, 2024
@0xM3R 0xM3R transferred this issue from another repository Dec 17, 2024
@0xM3R 0xM3R transferred this issue from zeta-chain/smart-contract-vulns Dec 17, 2024
@fadeev fadeev linked a pull request Dec 18, 2024 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants