[Lines of code](https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographBridge.sol#L248-L249) # Vulnerability details ## Impact User can avoid paying gas fees by setting gasPrice to 1 wei and gasLimit to 0. Operators will not receive a gas compensation. Also, fallback operators won't be able to pick up such jobs. ## Proof of Concept 1. Bridging out is a public function that can be called by anyone. The caller is able to set the gas price and the gas limit of the bridge-in call on the destination chain ([HolographBridge.sol#L245-L251]()). 2. gasLimit and gasPrice are passed to the operator contract as is ([HolographBridge.sol#L274-L282]()). 3. In the send function, the operator contract calculates hlgFee based on the gasLimit and gasPrice set by the user ([HolographOperator.sol#L593-L596]()). Actual calculation happens in the getHlgFee function of LayerZeroModule ([LayerZeroModule.sol#L178]()). 4. There's a check for gasPrice == 0, but no check for gasLimit == 0 ([LayerZeroModule.sol#L191-L193]()). 5. Thus, we cannot set gasPrice to 0 (otherwise a real gas price will be used). So we set gasPrice to 1 wei and gasLimit to 0. getHlgFee will return 0 ([LayerZeroModule.sol#L194]()). 6. When hlgFee is 0, we need to send 1 wei to pass this check – [HolographOperator.sol#L595](). 7. 0 fee will be collected from the user ([HolographOperator.sol#L596]()). However, they will still pay 1 wei. Operator will receive 0 hlgFee ([HolographOperator.sol#L622]()). 8. gasLimit and gasPrice are then encoded and passed to LayerZeroModule ([HolographOperator.sol#L635-L647]()). 9. LayerZeroModule ignores them ([LayerZeroModule.sol#L129-L130]()). 10. But they're still encoded in the crossChainPayload. 11. When a message is received on a destination chain, payload is passed to the operator contract as is ([LayerZeroModule.sol#L122]()). 12. The operator contract creates a new job, no gas checks so far ([HolographOperator.sol#L522]()). 13. When an operator executes the job, gas limit and price are extracted ([HolographOperator.sol#L310-L321]()). 14. If gasPrice is 1 wei, fallback operator _will never be able to pick up the job_ since tx.gasprice will always be higher (on most blockchains) ([HolographOperator.sol#L354]()). 15. This check will always pass if gasLimit is 0 ([HolographOperator.sol#L415]()). 16. hTokenValue will be 0 here, so the operator who's executing the job won't receive a gas compensation ([HolographBridge.sol#L218]()). This value was set to 0 on step 7. Even though the jobEstimator function can be used to estimate the gas consumption of a bridgeInRequest call, it still doesn't tell whether the gas compensation is higher that the cost of a bridge-in transaction. ## Tools Used Manual review ## Recommended Mitigation Steps Mitigation steps might include: 1. disallowing setting gas limit to 0; 2. ensuring hToken gas compensation is always greater than 0; 3. allowing operators to fail a job without the risk of being slashed when gas compensation is not enough; 4. forcing users to estimate the gas cost of the bridge-in transaction when calling bridgeOutRequest. --- The text was updated successfully, but these errors were encountered: All reactions