Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-10-HOLOGRAPH-FINDINGS-ISSUES-364
HistoryOct 25, 2022 - 12:00 a.m.

If user sets a low gasPrice the operator would have to choose between being locked out of the pod or executing the job anyway

2022-10-2500:00:00
Code4rena
github.com
7
gas price
operator compensation
vulnerability impact
gas fee
operator lockout
JSON

Lines of code
<https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographOperator.sol#L593-L596&gt;
<https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/module/LayerZeroModule.sol#L277-L294&gt;

Vulnerability details

During the beaming process the user compensates the operator for the gas he has to pay by sending some source-chain-native-tokens via hToken.
The amount he has to pay is determined according to the gasPrice set by the user, which is supposed to be the maximum gas price to be used on dest chain (therefore predicting the max gas fee the operator would pay and paying him the same value in src chain native tokens).
However, in case the user sets a low price (as low as 1 wei) the operator can’t skip the job because he’s locked out of the pod till he executes the job.
The operator would have to choose between loosing money by paying a higher gas fee than he’s compensated for or being locked out of the pod - not able to execute additional jobs or get back his bonded amount.

Impact

Operator would be loosing money by having to pay gas fee that’s higher than the compensation (gas fee can be a few dozens of USD for heavy txs).
This could also be used by attackers to make operators pay for the attackers’ expensive gas tasks:

  • They can deploy their own contract as the ‘source contract’
  • Use the bridgeIn event and the data that’s being sent to it to instruct the source contract what operations need to be executed
  • They can use it for execute operations where the tx.origin doesn’t matter (e.g. USDc gasless send)

Proof of Concept

  • An operator can’t execute any further jobs or leave the pod till the job is executed. From the docs:

> When an operator is selected for a job, they are temporarily removed from the pod, until they complete the job. If an operator successfully finalizes a job, they earn a reward and are placed back into their selected pod.

  • Operator can’t skip a job. Can’t prove a negative but that’s pretty clear from reading the code.
  • There’s indeed a third option - that some other operator/user would execute the job instead of the selected operator, but a) the operator would get slashed for that. b) If the compensation is lower than the gas fee then other users have no incentive to execute it as well.

Recommended Mitigation Steps

Allow operator to opt out of executing the job if the gasPrice is higher than the current gas price

The text was updated successfully, but these errors were encountered:

All reactions

JSON