Beanstalk Notion
Beanstalk Notion
📄

Report #16534

Report Date
January 31, 2023
Status
Closed
Payout

Gas grieffing attack through external calls

‣
Report Info

Report ID

#16534

Target

https://etherscan.io/address/0xb1bE0000bFdcDDc92A8290202830C4Ef689dCeaa

Report type

Smart Contract

Impacts

  • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
  • Theft of gas

Has PoC?

Yes

Bug Description

Hi! The bug relies in the pipe contract, in the functions doing external calls to the address inputted as a parameter, for example:

function _pipe(
    address target,
    bytes calldata data,
    uint256 value
 ) private returns (bytes memory result) {
    bool success;
    (success, result) = target.call{value: value}(data);
    LibFunction.checkReturn(success, result);
  }

In this line:

     (success, result) = target.call{value: value}(data);

Explanation: (bool success, bytes memory result) works in the way that bytes result, is the calldata that was returned from the target and it will be copied to memory. Memory allocation becomes very costly if the payload is big (calldata), so this means that if a receiver implements a fallback function that returns a huge payload(calldata), then the msg.sender of the transaction, will have to pay a huge amount of gas for copying this payload to memory. Therefore costing extra gas to the sender, (gas griefing).

This can be archived very easily in these contracts. And could compound to a quite big loss if done many times, but as it is gas griefing, the impact is medium.

Eventually, this scenario will happen if any protocol/you have to return something to user, then the user/attacker can create this sc to grief the sender/protocol.

Impact

Medium, increase exponentially gas fees for the senders of the transaction.

Risk Breakdown

Difficulty to Exploit: Easy

Recommendation

One of the good alternatives, would be to use a assembly call, which does not take data, so gas griefing would be disabled here.

bool success; assembly { success := call(2300, receiver, amount, 0, 0, 0) }

Proof of concept

Steps for the attack to happen:

Attacker interacts with a protocol that uses pipeline, or pipeline itself interacts with arbitrary users.

Protocol has a function that calls any of the functions that perform a external call to an arbitrary user.

user/Attacker creates a very big fallback function were lot of data will be sent to the _ppipe contract.

Protocol/pipeline has to pay much more gas than they had to due to the attack.

Done, repeat

BIC Response

This is not a security bug report because this can only be achieved by calling a malicious function. In addition, at least in theory, any UI that integrates with Pipeline should have measures in place such as capping the gas limit to a realistic amount. Pipeline was built with the philosophy that it is not the smart contract's role to protect users against misuse.

Due to these reasons, we are closing the submission and no reward will be issued.