Gas grieffing attack through external calls
Report ID
#16534
Target
Report type
Smart Contract
Impacts
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Theft of gas
Has PoC?
Yes
Bug Description
Hi! The bug relies in the pipe contract, in the functions doing external calls to the address inputted as a parameter, for example:
function _pipe(
address target,
bytes calldata data,
uint256 value
) private returns (bytes memory result) {
bool success;
(success, result) = target.call{value: value}(data);
LibFunction.checkReturn(success, result);
}
In this line:
(success, result) = target.call{value: value}(data);
Explanation: (bool success, bytes memory result) works in the way that bytes result, is the calldata that was returned from the target and it will be copied to memory. Memory allocation becomes very costly if the payload is big (calldata), so this means that if a receiver implements a fallback function that returns a huge payload(calldata), then the msg.sender of the transaction, will have to pay a huge amount of gas for copying this payload to memory. Therefore costing extra gas to the sender, (gas griefing).
This can be archived very easily in these contracts. And could compound to a quite big loss if done many times, but as it is gas griefing, the impact is medium.
Eventually, this scenario will happen if any protocol/you have to return something to user, then the user/attacker can create this sc to grief the sender/protocol.
Impact
Medium, increase exponentially gas fees for the senders of the transaction.
Risk Breakdown
Difficulty to Exploit: Easy
Recommendation
One of the good alternatives, would be to use a assembly call, which does not take data, so gas griefing would be disabled here.
bool success; assembly { success := call(2300, receiver, amount, 0, 0, 0) }
Proof of concept
Steps for the attack to happen:
Attacker interacts with a protocol that uses pipeline, or pipeline itself interacts with arbitrary users.
Protocol has a function that calls any of the functions that perform a external call to an arbitrary user.
user/Attacker creates a very big fallback function were lot of data will be sent to the _ppipe contract.
Protocol/pipeline has to pay much more gas than they had to due to the attack.
Done, repeat
BIC Response
This is not a security bug report because this can only be achieved by calling a malicious function. In addition, at least in theory, any UI that integrates with Pipeline should have measures in place such as capping the gas limit to a realistic amount. Pipeline was built with the philosophy that it is not the smart contract's role to protect users against misuse.
Due to these reasons, we are closing the submission and no reward will be issued.