Light ModeLight
Light ModeDark

One Bug Per Day

One H/M every day from top Wardens

Checkmark

Join over 1115 wardens!

Checkmark

Receive the email at any hour!

Ad

Redaction: Undo the extra gas check

mediumRecon Audits

Impact

This check:

https://github.com/subvisual/orki/blob/0e5f372d6bd37e794700e46b7be4974d7787319a/contracts/src/PriceFeeds/MainnetPriceFeedBase.sol#L109

solidity
 if (uint256(gasleft()) + uint256(2000) <= gasBefore / 64) revert InsufficientGasForExternalCall();

Is meant to ensure that sufficient gas was provided before the revert

Its original version

solidity
if (uint256(gasleft()) <= gasBefore / 64) revert InsufficientGasForExternalCall();

Is incorrect as it is ignoring the gas that is necessary

In the case of an oracle reverting due to consuming too much gas this will cause a revert

The check:

solidity
 if (uint256(gasleft()) + uint256(2000) <= gasBefore / 64) revert InsufficientGasForExternalCall();

Will not, but this seems to open up to being able to actually triggering a shutdown

This requires very specific gas requirements I did not fully test

But given the fact that the other code is being reviewed by hundreds of auditors, and the POC below, I believe the change should be undone

Mitigation

Revert back to

solidity
if (uint256(gasleft()) <= gasBefore / 64) revert InsufficientGasForExternalCall();

I believe the only safe way to check that sufficient gas was provided is to check before the calls, with an hardcoded value

OneBugPerDay.com
To all the whitehats, we salute you

Legal

Advertise with usPrivacy PolicyTerms of ServiceCookie PolicyAcceptable Use

Unsubscribe

Unsubscribe from all emailsConfirm unsubscribe via code

Subscribe

Subscribe via formConfirm subscription via codeChange your Preferences
Made by Alex The EntreprenerdVulnerabilities database by TinTinWeb